Incomplete RFC3164 header for remote logging #33
Description
I've bumped into this issue when I decided to test log shipping to fluent-bit. It seems metalog doesn't really comply with the default RFC3164 syntax parser, which is this:
^\<(?<pri>[0-9]+)\>(?<time>[^ ]* {1,2}[^ ]* [^ ]*) (?<host>[^ ]*) (?<ident>[a-zA-Z0-9_\/\.\-]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$
But metalog sends just the last 2 bits, which are ident and message, for example:
[rsyncd] module-list request from UNDETERMINED (127.0.0.1)
As confirmed by this tcpdump:
00:00:00.000084 AF IPv4 (2), length 91: 10.10.0.4.55797 > 10.10.0.2.4514: UDP, length 59
E..W].@.@...
..
.......C.F[rsyncd] module-list request from UNDETERMINED (127.0.0.1)
Thankfully I can just customize the parser, but the original timestamp and host would be really helpful in a multi-host environment. The former is also very important forensics-wise. To quote RFC3164#4.2:
There are no set requirements on the contents of the syslog packet as
it is originally sent from a device. It should be reiterated here
that the payload of any IP packet destined to UDP port 514 MUST be
considered to be a valid syslog message. It is, however, RECOMMENDED
that the syslog packet have all of the parts described in Section 4.1
- PRI, HEADER and MSG - as this enhances readability by the recipient
and eliminates the need for a relay to modify the message.