1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
|
Syslogparser
============
This is a syslog parser for the Go programming language.
https://pkg.go.dev/github.com/jeromer/syslogparser
Installing
----------
go get github.com/jeromer/syslogparser
Supported RFCs
--------------
- [RFC 3164][RFC 3164]
- [RFC 5424][RFC 5424]
Not all features described in RFCs above are supported but only the most
part of it. For exaple `SDID`s are not supported in [RFC 5424][RFC 5424] and
`STRUCTURED-DATA` are parsed as a whole string.
This parser should solve 80% of use cases. If your use cases are in the
20% remaining ones I would recommend you to fully test what you want to
achieve and provide a patch if you want.
Parsing an RFC 3164 syslog message
----------------------------------
b := "<34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8"
buff := []byte(b)
p := rfc3164.NewParser(buff)
err := p.Parse()
if err != nil {
panic(err)
}
for k, v := range p.Dump() {
fmt.Println(k, ":", v)
}
You should see
timestamp : 2013-10-11 22:14:15 +0000 UTC
hostname : mymachine
tag : su
content : 'su root' failed for lonvick on /dev/pts/8
priority : 34
facility : 4
severity : 2
Parsing an RFC 5424 syslog message
----------------------------------
b := `<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] An application event log entry...`
buff := []byte(b)
p := rfc5424.NewParser(buff)
err := p.Parse()
if err != nil {
panic(err)
}
for k, v := range p.Dump() {
fmt.Println(k, ":", v)
}
You should see
version : 1
timestamp : 2003-10-11 22:14:15.003 +0000 UTC
app_name : evntslog
msg_id : ID47
message : An application event log entry...
priority : 165
facility : 20
severity : 5
hostname : mymachine.example.com
proc_id : -
structured_data : [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"]
Detecting message format
------------------------
You can use the `DetectRFC()` function. Like this:
b := []byte(`<165>1 2003-10-11T22:14:15.003Z ...`)
rfc, err := syslogparser.DetectRFC(b)
if err != nil {
panic(err)
}
switch rfc {
case RFC_UNKNOWN:
fmt.Println("unknown")
case RFC_3164:
fmt.Println("3164")
case RFC_5424:
fmt.Println("5424")
}
Running tests
-------------
Run `make test`
Running benchmarks
------------------
Run `make benchmark`
go test -bench=. -benchmem
goos: linux
goarch: amd64
pkg: github.com/jeromer/syslogparser
BenchmarkDetectRFC-8 81994480 14.7 ns/op 0 B/op 0 allocs/op
PASS
ok github.com/jeromer/syslogparser 2.145s
cd rfc3164 && go test -bench=. -benchmem
goos: linux
goarch: amd64
pkg: github.com/jeromer/syslogparser/rfc3164
BenchmarkParseTimestamp-8 2823901 416 ns/op 16 B/op 1 allocs/op
BenchmarkParseHostname-8 34796552 35.4 ns/op 16 B/op 1 allocs/op
BenchmarkParseTag-8 20954252 59.3 ns/op 8 B/op 1 allocs/op
BenchmarkParseHeader-8 2276569 596 ns/op 80 B/op 3 allocs/op
BenchmarkParsemessage-8 6751579 192 ns/op 104 B/op 4 allocs/op
BenchmarkParseFull-8 1445076 838 ns/op 336 B/op 10 allocs/op
PASS
ok github.com/jeromer/syslogparser/rfc3164 9.601s
cd rfc5424 && go test -bench=. -benchmem
goos: linux
goarch: amd64
pkg: github.com/jeromer/syslogparser/rfc5424
BenchmarkParseTimestamp-8 790478 1488 ns/op 432 B/op 21 allocs/op
BenchmarkParseHeader-8 1000000 1043 ns/op 336 B/op 18 allocs/op
BenchmarkParseFull-8 980828 1306 ns/op 672 B/op 21 allocs/op
PASS
ok github.com/jeromer/syslogparser/rfc5424 4.356s
[RFC 5424]: https://tools.ietf.org/html/rfc5424
[RFC 3164]: https://tools.ietf.org/html/rfc3164
|
