func (f *Automatic) GetParser(line []byte) syslogparser.LogParser {
switch format, _ := detect(line); format {
case detectedRFC3164:
return rfc3164.NewParser(line)
case detectedRFC5424:
return rfc5424.NewParser(line)
default:
// If the line was an RFC6587 line, the splitter should already have removed the length,
// so one of the above two will be chosen if the line is correctly formed. However, it
// may have a second length illegally placed at the start, in which case the detector
// will return detectedRFC6587. The line may also simply be malformed after the length in
// which case we will have detectedUnknown. In this case we return the simplest parser so
// the illegally formatted line is properly handled
return rfc3164.NewParser(line)
}
}
func (s *Server) receiver(c net.PacketConn) {
//q := (chan<- Message)(s.q)
buf := make([]byte, 1024)
for {
n, _, err := c.ReadFrom(buf)
if err != nil {
if !s.shutdown {
s.l.Fatalln("Read error:", err)
}
return
}
pkt := buf[:n]
p := rfc3164.NewParser(pkt)
if err := p.Parse(); err != nil {
log.Println(err)
}
log := p.Dump()
m := &Message{
Time: time.Now(),
Priority: log["priority"].(syslog.Priority),
Timestamp: log["timestamp"].(time.Time),
Hostname: log["hostname"].(string),
Tag: log["tag"].(string),
Content: log["content"].(string),
}
s.passToHandlers(m)
}
}
func ExampleNewParser() {
b := "<34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8"
buff := []byte(b)
p := rfc3164.NewParser(buff)
err := p.Parse()
if err != nil {
panic(err)
}
fmt.Println(p.Dump())
}
func (s *concreteServer) handleConnection(conn net.Conn, callback CallbackFunc) {
defer func() {
if err := conn.Close(); err != nil {
s.logger.Error(concreteServerLogTag, "Failed to close connection: %s", err.Error())
}
}()
scanner := bufio.NewScanner(conn)
for scanner.Scan() {
bytes := scanner.Bytes()
p := rfc3164.NewParser(bytes)
err := p.Parse()
if err != nil {
s.logger.Error(
concreteServerLogTag,
"Failed to parse syslog message: %s error: %s",
string(bytes), err.Error(),
)
continue
}
content, ok := p.Dump()["content"].(string)
if !ok {
s.logger.Error(
concreteServerLogTag,
"Failed to retrieve syslog message string content: %s",
string(bytes),
)
continue
}
message := Msg{Content: content}
callback(message)
}
err := scanner.Err()
if err != nil {
s.logger.Error(
concreteServerLogTag,
"Scanner error while parsing syslog message: %s",
err.Error(),
)
}
}
func printPacketInfo(packet gopacket.Packet) {
applicationLayer := packet.ApplicationLayer()
if applicationLayer != nil {
buff := []byte(applicationLayer.Payload())
p := rfc3164.NewParser(buff)
err := p.Parse()
if err != nil {
fmt.Println("Error decoding Payload:", err)
}
fmt.Printf("%s", p.Dump()["content"])
}
if err := packet.ErrorLayer(); err != nil {
fmt.Println("Error decoding some part of the packet:", err)
}
}
func (s *StreamServer) IsIgnoreLog(buf []byte) bool {
p := rfc3164.NewParser(buf)
if err := p.Parse(); err != nil {
return false
}
data := p.Dump()
tag := data["tag"].(string)
if len(tag) == 0 {
return false
}
s.Lock()
rgs, ok := s.CurrentConfig[tag]
s.Unlock()
if ok {
for _, r := range rgs {
if r.MatchString(data["content"].(string)) {
return true
}
}
}
return false
}
func (s *server) processLine(line []byte) {
p := rfc3164.NewParser(line)
if err := p.Parse(); err != nil {
logger.Println("failed to parse:", err)
return
}
receivedMeter.Mark(1)
parts := p.Dump()
jsonBytes, err := json.Marshal(parts)
if err != nil {
logger.Println("error marshaling message, skipping.", err)
return
}
if cfg.verbose {
logger.Println("enqueuing", string(jsonBytes))
}
if cfg.publish {
put := func() error {
return s.publishMessage(jsonBytes)
}
policy := backoff.NewExponentialBackOff()
policy.MaxElapsedTime = time.Minute * 5
err := backoff.Retry(put, policy)
if err != nil {
// retrying a bunch of times failed...
logger.Println("failed sending message.", err)
sendDroppedMeter.Mark(1)
}
}
}
package syslog_test
import (
"fmt"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
"github.com/jeromer/syslogparser/rfc3164"
)
var _ = Describe("syslogparser", func() {
It("parses an example message", func() {
text := []byte("<34>Oct 11 22:14:15 mach su: 'su root' failed for lonvick on /dev/pts/8")
parser := rfc3164.NewParser(text)
err := parser.Parse()
Expect(err).ToNot(HaveOccurred())
parts := parser.Dump() // syslogparser.LogParts
Expect(fmt.Sprintf("%T", parts["timestamp"])).To(Equal("time.Time"))
Expect(parts["hostname"]).To(Equal("mach"))
Expect(parts["tag"]).To(Equal("su"))
Expect(parts["content"]).To(Equal("'su root' failed for lonvick on /dev/pts/8"))
Expect(parts["priority"]).To(Equal(34))
Expect(parts["facility"]).To(Equal(4))
Expect(parts["severity"]).To(Equal(2))
})
})
func (f *RFC3164) GetParser(line []byte) syslogparser.LogParser {
return rfc3164.NewParser(line)
}
