[WIP] Add a Syslog input listening to UDP and TCP connection #6433
Conversation
This commit add a new input named Syslog which can receive syslog formated events from either UDP or TCP, currently without any SSL. The events are locally parsed and send downstream. The parser will support RFC3164 formatted events, the parser uses state machines to parses the messages really fast instead of regular expression. The state machine are written using Ragel and that generate compact and optimized go code, using state machine is a trade off of speed vs size of the binary. This generated file add 32K to the final binary which is an OK trade of. Limitation: Due to the nature of syslog, it's possible that some messages are not correctly parsed, the parser is a work in progress and will benefit from any bug report. The best solution for them is to tag them and keep the `message` as the raw message.
| return nil, nil | ||
| } | ||
|
|
||
| func (s SyslogMessage) IsValid() bool { |
There was a problem hiding this comment.
exported method SyslogMessage.IsValid should have comment or be unexported
| s.second = sec | ||
| } | ||
|
|
||
| func (s SyslogMessage) Ts() (*time.Time, error) { |
There was a problem hiding this comment.
exported method SyslogMessage.Ts should have comment or be unexported
| s.minute = h | ||
| } | ||
|
|
||
| func (s *SyslogMessage) Second(sec []byte) { |
There was a problem hiding this comment.
exported method SyslogMessage.Second should have comment or be unexported
| s.hour = h | ||
| } | ||
|
|
||
| func (s *SyslogMessage) Minute(h []byte) { |
There was a problem hiding this comment.
exported method SyslogMessage.Minute should have comment or be unexported
| s.day = d | ||
| } | ||
|
|
||
| func (s *SyslogMessage) Hour(h []byte) { |
There was a problem hiding this comment.
exported method SyslogMessage.Hour should have comment or be unexported
| s.month = m | ||
| } | ||
|
|
||
| func (s *SyslogMessage) GetMonth() int { |
There was a problem hiding this comment.
exported method SyslogMessage.GetMonth should have comment or be unexported
| return &SyslogMessage{} | ||
| } | ||
|
|
||
| func (s *SyslogMessage) Month(m []byte) { |
There was a problem hiding this comment.
exported method SyslogMessage.Month should have comment or be unexported
| const syslog_en_main int = 1 | ||
|
|
||
|
|
||
| //line parser.rl:8 |
There was a problem hiding this comment.
comment on exported function Parse should be of the form "Parse ..."
| const syslog_first_final int = 69 | ||
| const syslog_error int = 0 | ||
|
|
||
| const syslog_en_main int = 1 |
There was a problem hiding this comment.
don't use underscores in Go names; const syslog_en_main should be syslogEnMain
| //line parser.go:7 | ||
| const syslog_start int = 1 | ||
| const syslog_first_final int = 69 | ||
| const syslog_error int = 0 |
There was a problem hiding this comment.
don't use underscores in Go names; const syslog_error should be syslogError
|
This PR contains only the parser and the initial works for the input, I need to move #6361 forward for the UDP/TCP So I can reuse them as component in the Syslog input. |
| @@ -0,0 +1,1389 @@ | |||
|
|
|||
There was a problem hiding this comment.
This is generated code.. go away hound.
|
Closing and reopening a new one since the UDP and TCP are now merged and it will be clearer without all the hound comments. |
Not ready for review
This is just a placeholder PR, since hound is a bit of a pain to deal with I have disable it on this PR and will create a new PR when it's ready for review..
This commit add a new input named Syslog which can receive syslog
formated events from either UDP or TCP, currently without any SSL.
The events are locally parsed and send downstream.
The parser will support RFC3164 formatted events, the parser uses
state machines to parses the messages really fast instead of regular
expression.
The state machine are written using Ragel and that generate compact and
optimized go code, using state machine is a trade off of speed vs size
of the binary. This generated file add 32K to the final binary which is
an OK trade of.
Limitation:
Due to the nature of syslog, it's possible that some messages are not
correctly parsed, the parser is a work in progress and will benefit from
any bug report.
The best solution for them is to tag them and keep the
messageas theraw message.
depends on #6266 and #6439