Skip Menu |

This queue is for tickets about the Parse-Syslog-Line CPAN distribution.

Report information
The Basics
Id: 86512
Status: resolved
Priority: 0/
Queue: Parse-Syslog-Line
People
Owner: brad [...] divisionbyzero.net
Requestors: abraxxa [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: 1.5
Fixed in: 1.6

History Show all quoted text
  Fri Jun 28 05:21:37 2013 abraxxa [...] cpan.org - Ticket created
Subject: support more syslog formats
After switching Message::Passing::Input::Syslog to Parse::Syslog::Line instead of parsing the syslogs myself, I found that some messages aren't fully parsed in regard to the program_ fields. This are two example formats, note the additional ': ' between hostname and program in the second message which isn't parsed correctly: # Cisco ASA firewall without 'logging device-id hostname' # <163>Jun 7 18:39:00 hostname.domain.tld %ASA-3-313001: Denied ICMP type=5, code=1 from 1.2.3.4 on interface inside # Cisco ASA firewall with 'logging device-id hostname' or 'logging device-id string $hostname' # <161>Jun 7 18:39:00 hostname : %ASA-3-313001: Denied ICMP type=5, code=1 from 1.2.3.4 on interface inside So far the priority and datetime parsing succeeds for the log formats I've encountered, only the program parsing fails for some. It might be a good idea to make the parsing of the parts configurable.
  Fri Jun 28 08:00:20 2013 brad [...] divisionbyzero.net - Status changed from 'new' to 'open'
  Fri Jun 28 08:00:21 2013 brad [...] divisionbyzero.net - Taken
  Fri Jun 28 08:00:21 2013 brad [...] divisionbyzero.net - Severity Wishlist changed to Important
  Fri Jun 28 08:01:28 2013 brad [...] divisionbyzero.net - Correspondence added
Thanks for including the log samples. I'll add them to the test suite and cover them in the module. Expect 1.5 to address these by next week sometime. On Fri Jun 28 05:21:37 2013, ABRAXXA wrote: Show quoted text
> After switching Message::Passing::Input::Syslog to Parse::Syslog::Line > instead of parsing the syslogs myself, I found that some messages > aren't fully parsed in regard to the program_ fields. > > This are two example formats, note the additional ': ' between > hostname and program in the second message which isn't parsed > correctly: > > # Cisco ASA firewall without 'logging device-id hostname' > # <163>Jun 7 18:39:00 hostname.domain.tld %ASA-3-313001: Denied ICMP > type=5, code=1 from 1.2.3.4 on interface inside > # Cisco ASA firewall with 'logging device-id hostname' or 'logging > device-id string $hostname' > # <161>Jun 7 18:39:00 hostname : %ASA-3-313001: Denied ICMP type=5, > code=1 from 1.2.3.4 on interface inside > > So far the priority and datetime parsing succeeds for the log formats > I've encountered, only the program parsing fails for some. > It might be a good idea to make the parsing of the parts configurable.
  Thu Jul 11 17:57:15 2013 brad [...] divisionbyzero.net - Correspondence added
These lines were added to the test suite. They pass along with the rest of the test suite. On Fri Jun 28 08:01:28 2013, BLHOTSKY wrote: Show quoted text
> Thanks for including the log samples. I'll add them to the test suite > and cover them in the module. Expect 1.5 to address these by next > week sometime. > > On Fri Jun 28 05:21:37 2013, ABRAXXA wrote:
> > After switching Message::Passing::Input::Syslog to
> Parse::Syslog::Line
> > instead of parsing the syslogs myself, I found that some messages > > aren't fully parsed in regard to the program_ fields. > > > > This are two example formats, note the additional ': ' between > > hostname and program in the second message which isn't parsed > > correctly: > > > > # Cisco ASA firewall without 'logging device-id hostname' > > # <163>Jun 7 18:39:00 hostname.domain.tld %ASA-3-313001: Denied ICMP > > type=5, code=1 from 1.2.3.4 on interface inside > > # Cisco ASA firewall with 'logging device-id hostname' or 'logging > > device-id string $hostname' > > # <161>Jun 7 18:39:00 hostname : %ASA-3-313001: Denied ICMP type=5, > > code=1 from 1.2.3.4 on interface inside > > > > So far the priority and datetime parsing succeeds for the log
> formats
> > I've encountered, only the program parsing fails for some. > > It might be a good idea to make the parsing of the parts
> configurable. > >
  Thu Jul 11 17:57:16 2013 brad [...] divisionbyzero.net - Status changed from 'open' to 'resolved'
  Thu Jul 11 17:57:16 2013 brad [...] divisionbyzero.net - Fixed in 1.5 added
  Fri Jul 12 05:12:32 2013 abraxxa [...] cpan.org - Correspondence added
Thanks for the quick new release! It seems you have a bug when parsing the format you called 'Cisco ASA Alt' in t/01-parse.t: program_name isn't filled with '%ASA-3-313001'.
  Fri Jul 12 05:12:32 2013 abraxxa [...] cpan.org - Status changed from 'resolved' to 'open'
  Fri Jul 12 17:12:37 2013 brad [...] divisionbyzero.net - Correspondence added
You are correct! Fixed in 1.6 which I just pushed to the CPAN. On Fri Jul 12 05:12:32 2013, ABRAXXA wrote: Show quoted text
> Thanks for the quick new release! > It seems you have a bug when parsing the format you called 'Cisco ASA > Alt' in t/01-parse.t: program_name isn't filled with '%ASA-3-313001'.
  Sat Jul 13 07:52:13 2013 brad [...] divisionbyzero.net - Status changed from 'open' to 'resolved'
  Sat Jul 13 07:52:14 2013 brad [...] divisionbyzero.net - Fixed in 1.6 added
  Sat Jul 13 07:52:14 2013 brad [...] divisionbyzero.net - Fixed in 1.5 deleted
  Sat Jul 13 07:52:14 2013 brad [...] divisionbyzero.net - Broken in 1.5 added
  Sat Jul 13 07:52:14 2013 brad [...] divisionbyzero.net - Broken in 1.4 deleted