Decoder RFC 5424 does not correctly parse structured data

Question

Decoder RFC 5424 does not correctly parse structured data

gearnode opened this issue 3 years ago · 2 comments

The decoder RFC 5424 does not correctly parse structured data. Currently, the parser parses only one structured data, which completely breaks the specification. As defined by the RFC 5424 ABF a Syslog message can contain no, one or more than one structured data.

Here is an example of a not properly parsed message:

<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource= "Application" eventID="1011"][examplePriority@32473 class="high"] hello world

In this example, the message contains two structured data (but we can have a message with more than two) but the flowgger decoder only parses the first one and consider the rest a message, which is not correct too as the structured data and the message must be separated with a space.

Answer 1 · 2021-11-22T17:23:25.000Z

Hi,
That is absolutely correct, thanks for raising this. I'll provide a fix for this as soon as possible.

Answer 2 · 2021-11-24T09:52:41.000Z

Fixed in rev 0.2.12