与系统日志消息格式混淆 [英] Confused with syslog message format

问题描述

我对syslog消息格式有些困惑.我必须编写一个解析syslog消息的程序.当我阅读syslog-ng实例中的内容时，会收到类似以下的消息:

I am a bit confused about syslog message format. I have to write a program that parses syslog messages. When I read what I get in my syslog-ng instance I get messages like this:

Jan 12 06:30:00 1.2.3.4 apache_server: 1.2.3.4 - - [12/Jan/2011:06:29:59 +0100] "GET /foo/bar.html HTTP/1.1" 301 96 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)" PID 18904 Time Taken 0

我可以清楚地确定真实消息(在本例中为Apache访问日志消息)，其余是有关syslog消息本身的元数据.

I can clearly determine the real message (which is, in this case an Apache access log message) The rest is metadata about the syslog message itself.

但是，当我阅读 RFC 5424 时，消息示例如下:

However when I read the RFC 5424 the message examples look like:

没有结构化数据

 <34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8

或包含结构化数据

<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] BOMAn application event log entry...

所以现在我有点困惑.正确的系统日志消息格式是什么?这是规范版本的问题，其中 RFC 5424 已废弃

So now I am a bit confused. What is the correct syslog message format ? It is a matter of spec version where RFC 5424 obsoleted RFC 3164 ?

推荐答案

在这种情况下，问题是apache通过标准syslog(3)或通过记录器进行记录.这仅支持旧的(RFC3164)syslog格式，即此处没有结构化数据. 为了使apache日志中的字段显示为RFC5424结构化数据，apache需要以这种方式格式化日志.

The problem in this case is that apache is logging via the standard syslog(3) or via logger. This only supports the old (RFC3164) syslog format, i.e. there is no structured data here. In order to have the fields from the apache log show up as RFC5424 structured data, apache would need to format the log that way.

第一个示例不是正确的RFC3164 syslog，因为从头中剥离了优先级值.正确的RFC3164格式应如下所示:

The first example is not proper RFC3164 syslog, because the priority value is stripped from the header. Proper RFC3164 format would look like this:

<34>Jan 12 06:30:00 1.2.3.4 apache_server: 1.2.3.4 - - [12/Jan/2011:06:29:59 +0100] "GET /foo/bar.html HTTP/1.1" 301 96 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)" PID 18904 Time Taken 0

传统上，rfc3164 syslog消息保存到文件中，而优先级值已删除.

Traditionally rfc3164 syslog messages are saved to files with the priority value removed.

另外两个采用RFC5424格式.

The other two are in RFC5424 format.

这篇关于与系统日志消息格式混淆的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！