cloudfoundry-community / firehose-to-syslog

Send firehose events from Cloud Foundry to syslog.
MIT License
44 stars 58 forks source link

Incorrect syslog format #176

Closed LYHuang closed 6 years ago

LYHuang commented 6 years ago

The syslog I receive from the firehose-to-syslog have an unexpect syslog formate. According to https://tools.ietf.org/html/rfc3164#section-4.1.1, there should not have a space between the PRI value and the timestamp.

However, all the logs from firehose-to-syslog is format like<6> 2018-02-13T23:44:34Z 714085b2-70b8-4d45-5b90-a39a doppler[19]. Is there any solution get remove this space?

This is the setting with the firehose-to-syslog:

applications:
- name: firehose-to-syslog
  health-check-type: process
  env:
    GOPACKAGENAME: github.com/cloudfoundry-community/firehose-to-syslog
    API_ENDPOINT: https://api.sys.
    DEBUG: false
    DOPPLER_ENDPOINT: wss://doppler.sys.
    EVENTS: LogMessage
    FIREHOSE_CLIENT_ID: xxx
    FIREHOSE_CLIENT_SECRET: xxx
    FIREHOSE_SUBSCRIPTION_ID: firehose-a
    LOG_EVENT_TOTALS: true
    LOG_EVENT_TOTALS_TIME: 10s
    SKIP_SSL_VALIDATION: true
    SYSLOG_ENDPOINT: "xxxx"
    SYSLOG_PROTOCOL: tcp  # tcp/udp/tcp+tls
    CERT_PEM: cert.pem  # $ curl https://download.yourlogprovider.tld/their.crt > cert.pem
shinji62 commented 6 years ago

We use RFC5424.

LYHuang commented 6 years ago

But according to the https://tools.ietf.org/html/rfc5424#section-6, the format should be like:

HEADER = PRI VERSION SP TIMESTAMP SP HOSTNAME SP APP-NAME SP PROCID SP MSGID

The log missing the VERSION. Any solution with this?

LYHuang commented 6 years ago

Hello, I track the source code and found that only log message get serialized at format and then publish, didn't find where it append RFC5424 header.

Would you point me where you attach the RFC5424 header before sending the log message to the syslog endpoint?

CI-PivotalJapan-GE commented 6 years ago

We don’t attach the header. And we never had.

Format is there https://github.com/RackSec/srslog/blob/master/formatter.go#L51

Thanks

Envoyé de mon iPhone

Le 22 févr. 2018 à 15:51, LY Huang notifications@github.com a écrit :

Hello, I track the source code and found that only log message get serialized at format and then publish, didn't find where it append RFC5424 header.

Would you point me where you attach the RFC5424 header before sending the log message to the syslog endpoint?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.