Version between range 1 to 999, why ?

[alexisvisco]

Hello,

I am trying to understand why did you choose to reject a version that is not between 1 and 999.

How I am testing

I am testing with a docker container with this command: docker run --log-driver syslog --log-opt syslog-address=udp://localhost:7890 alpine echo hello world

I obtain this syslog message: <30>Aug 8 13:56:23 6d8f79ab82bf[1451]: hello world\n

Docker is using the same RFC as you with the ABNF implementation: https://docs.docker.com/config/containers/logging/syslog/

Why I am thinking version range is not expected ?

In the RFC there is no 999, you can search for it but you will not find anything related to the version.

So why are you doing that, there is a reason for ?

[goller]

Hey @alexisvisco thanks for writing in!

Here is the ABNF from rfc5424:

      VERSION         = NONZERO-DIGIT 0*2DIGIT

and here is @leodido 's ragel grammar for version:

 version = (nonzerodigit digit{0,2} <err(err_version)) >mark %from(set_version) %eof(set_version) @err(err_version); 

I believe that 0*2DIGIT is a Variable Repetition rule; it indicates at least 0 and at most 2 occurrences of the element.

Therefore, VERSION is between 1 and 3 characters long. The first character's value is in the range 1 - 9 while the second and third characters are 0 - 9. This means that the minimum number is 1 while the maximum number is 999.

@leodido is trying to give really nice and explicit reasons for parsing incorrect syslog data and the error message is a short description of the valid values of VERSION.

[goller]

@alexisvisco ultimately, the log line you are receiving is not RFC5424, but the "the local UNIX syslog format."

From the docker syslog format, try --log-opt syslog-format=rfc5424

[leodido]

@goller explanation is perfect. 👍

I'm going to close this.