与系统日志消息格式混淆
我对系统日志消息格式有点困惑。我必须编写一个解析系统日志消息的程序。当我阅读 syslog-ng 实例中收到的内容时,我收到如下消息:
Jan 12 06:30:00 1.2.3.4 apache_server: 1.2.3.4 - - [12/Jan/2011:06:29:59 +0100] "GET /foo/bar.html HTTP/1.1" 301 96 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)" PID 18904 Time Taken 0
我可以清楚地确定真正的消息(在本例中是 Apache 访问日志消息) 其余的是有关 syslog 消息本身的元数据。
但是,当我阅读 RFC 5424 时,消息示例如下所示:
没有结构化数据
<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8
或有结构化数据
<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] BOMAn application event log entry...
所以现在我有点困惑。正确的系统日志消息格式是什么?这是规范版本的问题,其中 RFC 5424 已废弃RFC 3164 ?
I am a bit confused about syslog message format. I have to write a program that parses syslog messages. When I read what I get in my syslog-ng instance I get messages like this:
Jan 12 06:30:00 1.2.3.4 apache_server: 1.2.3.4 - - [12/Jan/2011:06:29:59 +0100] "GET /foo/bar.html HTTP/1.1" 301 96 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729)" PID 18904 Time Taken 0
I can clearly determine the real message (which is, in this case an Apache access log message) The rest is metadata about the syslog message itself.
However when I read the RFC 5424 the message examples look like:
without structured data
<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8
or with structured data
<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] BOMAn application event log entry...
So now I am a bit confused. What is the correct syslog message format ? It is a matter of spec version where RFC 5424 obsoleted RFC 3164 ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
这种情况下的问题是 apache 通过标准 syslog(3) 或通过记录器进行日志记录。这仅支持旧的(RFC3164)syslog 格式,即这里没有结构化数据。
为了使 apache 日志中的字段显示为 RFC5424 结构化数据,apache 需要以这种方式格式化日志。
第一个示例不是正确的 RFC3164 系统日志,因为优先级值已从标头中剥离。正确的 RFC3164 格式如下所示:
传统上,rfc3164 系统日志消息保存到已删除优先级值的文件中。
另外两个采用 RFC5424 格式。
The problem in this case is that apache is logging via the standard syslog(3) or via logger. This only supports the old (RFC3164) syslog format, i.e. there is no structured data here.
In order to have the fields from the apache log show up as RFC5424 structured data, apache would need to format the log that way.
The first example is not proper RFC3164 syslog, because the priority value is stripped from the header. Proper RFC3164 format would look like this:
Traditionally rfc3164 syslog messages are saved to files with the priority value removed.
The other two are in RFC5424 format.
如果您有权访问系统上已安装的 syslog-daemon,则可以将其配置为以不同的格式写入日志(本地或通过网络接收)。例如,rsyslogd 允许配置您自己的格式(只需编写一个模板),如果我没记错的话,它还有一个内置模板以 json 格式存储。而且几乎任何语言都有解析 json 的库。
编辑:您还可以使 rsyslogd 成为程序的一部分。 rsyslog 非常适合读取两种 RFC 格式之一的传入系统日志。然后,您可以使用 rsyslog 以 JSON 格式输出消息。这样 rsyslog 就会为您完成消息的所有分解。
If you have access to the installed syslog-daemon on the system you could configure it to write the logs (received both locally or via network) in a different format. rsyslogd for instance allows to configure your own format (just write a template) and also if I remember correctly has a built-in template to store in json format. And there are libraries in almost any language to parse json.
EDIT: You could also make rsyslogd part of your program. rsyslog is very good in reading incoming syslogs in either of the two RFC formats. You can then use rsyslog to output the message in JSON. This way rsyslog does all the decompositioning of the message for you.