100 lines
3.1 KiB
Go
100 lines
3.1 KiB
Go
package format
|
|
|
|
import (
|
|
"bufio"
|
|
"bytes"
|
|
"errors"
|
|
"strconv"
|
|
|
|
"github.com/jeromer/syslogparser"
|
|
"github.com/jeromer/syslogparser/rfc3164"
|
|
"github.com/jeromer/syslogparser/rfc5424"
|
|
)
|
|
|
|
/* Selecting an 'Automatic' format detects incoming format (i.e. RFC3164 vs RFC5424) and Framing
|
|
* (i.e. RFC6587 s3.4.1 octet counting as described here as RFC6587, and either no framing or
|
|
* RFC6587 s3.4.2 octet stuffing / non-transparent framing, described here as either RFC3164
|
|
* or RFC6587).
|
|
*
|
|
* In essence if you don't know which format to select, or have multiple incoming formats, this
|
|
* is the one to go for. There is a theoretical performance penalty (it has to look at a few bytes
|
|
* at the start of the frame), and a risk that you may parse things you don't want to parse
|
|
* (rogue syslog clients using other formats), so if you can be absolutely sure of your syslog
|
|
* format, it would be best to select it explicitly.
|
|
*/
|
|
|
|
type Automatic struct{}
|
|
|
|
const (
|
|
detectedUnknown = iota
|
|
detectedRFC3164 = iota
|
|
detectedRFC5424 = iota
|
|
detectedRFC6587 = iota
|
|
)
|
|
|
|
func detect(data []byte) (detected int, err error) {
|
|
// all formats have a sapce somewhere
|
|
if i := bytes.IndexByte(data, ' '); i > 0 {
|
|
pLength := data[0:i]
|
|
if _, err := strconv.Atoi(string(pLength)); err == nil {
|
|
return detectedRFC6587, nil
|
|
}
|
|
|
|
// is there a close angle bracket before the ' '? there should be
|
|
angle := bytes.IndexByte(data, '>')
|
|
if (angle < 0) || (angle >= i) {
|
|
return detectedUnknown, errors.New("No close angle bracket before space")
|
|
}
|
|
|
|
// if a single digit immediately follows the angle bracket, then a space
|
|
// it is RFC5424, as RFC3164 must begin with a letter (month name)
|
|
if (angle+2 == i) && (data[angle+1] >= '0') && (data[angle+1] <= '9') {
|
|
return detectedRFC5424, nil
|
|
} else {
|
|
return detectedRFC3164, nil
|
|
}
|
|
}
|
|
return detectedUnknown, nil
|
|
}
|
|
|
|
func (f *Automatic) GetParser(line []byte) syslogparser.LogParser {
|
|
switch format, _ := detect(line); format {
|
|
case detectedRFC3164:
|
|
return rfc3164.NewParser(line)
|
|
case detectedRFC5424:
|
|
return rfc5424.NewParser(line)
|
|
default:
|
|
// If the line was an RFC6587 line, the splitter should already have removed the length,
|
|
// so one of the above two will be chosen if the line is correctly formed. However, it
|
|
// may have a second length illegally placed at the start, in which case the detector
|
|
// will return detectedRFC6587. The line may also simply be malformed after the length in
|
|
// which case we will have detectedUnknown. In this case we return the simplest parser so
|
|
// the illegally formatted line is properly handled
|
|
return rfc3164.NewParser(line)
|
|
}
|
|
}
|
|
|
|
func (f *Automatic) GetSplitFunc() bufio.SplitFunc {
|
|
return f.automaticScannerSplit
|
|
}
|
|
|
|
func (f *Automatic) automaticScannerSplit(data []byte, atEOF bool) (advance int, token []byte, err error) {
|
|
if atEOF && len(data) == 0 {
|
|
return 0, nil, nil
|
|
}
|
|
|
|
switch format, err := detect(data); format {
|
|
case detectedRFC6587:
|
|
return rfc6587ScannerSplit(data, atEOF)
|
|
case detectedRFC3164, detectedRFC5424:
|
|
// the default
|
|
return bufio.ScanLines(data, atEOF)
|
|
default:
|
|
if err != nil {
|
|
return 0, nil, err
|
|
}
|
|
// Request more data
|
|
return 0, nil, nil
|
|
}
|
|
}
|