Formal separation marker of syslog events?
Posted
by
Server Horror
on Server Fault
See other posts from Server Fault
or by Server Horror
Published on 2011-06-18T21:47:01Z
Indexed on
2011/06/30
0:23 UTC
Read the original article
Hit count: 229
I've been looking at RFC5424 to find the formally specified marker that will end a syslog event.
Unfortunately I couldn't find it. So If I wanted to implement some small syslog server that reacts on certain messages what is the marker that ends a message (yes commonly an event is a single line, but I just couldn't find it in the specification)
Clarification:
I call it event because I associate a message with a single line. An event could possibly be some thing like
Type: foo
Source: webservers
whereas a message to me is this:
Type: foo Source: webservers
http://tools.ietf.org/html/rfc5424#section-6 defines:
SYSLOG-MSG = HEADER SP STRUCTURED-DATA [SP MSG]
neither STRUCTURED-DATA nor MSG tell me how these fields end. Especially MSG is defined as as MSG-ANY / MSG-UTF8 which expands to virtually anything. There's nothing that says a newline marks the end (or an 8 or an a for that matter). Given the example messages (section 6.5):
This is one valid message, or 2 valid messages depending on wether you say that a HEADER element must never occur in any MSG element:
literal whitespace
<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - <34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47
|
is this an end marker?
\t stands for a tab
<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 -\t<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47
|
is this an end marker?
\n stands for a newline
<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 -\n<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47
|
is this an end marker?
Either I'm misreading the RFC or there just isn't any mention. The sizes specified in the RFC just say what the minimum length is expected that I can work with...
© Server Fault or respective owner
