Skip to content

Comments

Implement multi-line collection for indented logs#1780

Merged
ddpbsd merged 3 commits intoossec:masterfrom
sempervictus:feature/reader_multi-line_indented
Nov 2, 2019
Merged

Implement multi-line collection for indented logs#1780
ddpbsd merged 3 commits intoossec:masterfrom
sempervictus:feature/reader_multi-line_indented

Conversation

@sempervictus
Copy link

Multiple logging implementations utilize tabs or spaces to prefix
lines following the top, inindented line starting the entry. The
existing multi-line approach does not deal well with variable log
lengths using these indented sub-entries as it extracts lines by
count, not content.

This commit implements a modified postgresql log reader as a
generic multi-line parser sending the current buffer downstream
when it starts a new log entry (line does not start with ' ' or
'\t'), or encounters an empty line.

Multiple logging implementations utilize tabs or spaces to prefix
lines following the top, unindented line starting the entry. The
existing multi-line approach does not deal well with variable log
lengths using these indented sub-entries as it extracts lines by
count, not content.

This commit implements a modified postgresql log reader as a
generic multi-line parser sending the current buffer downstream
when it starts a new log entry (line does not start with ' ' or
'\t'), or encounters an empty line.
@sempervictus sempervictus force-pushed the feature/reader_multi-line_indented branch from 10a3a2f to ba5f4e8 Compare October 21, 2019 00:26
@sempervictus
Copy link
Author

ping @atomicturtle @ddpbsd - could you guys please take a peek @ this? Also thinking for the actual config, we could use multi-line:0 to keep existing format... thoughts/comments/fixes/profanity all welcome.

Thanks for catching this @ddpbsd - the drop_it param, used by
Windows readers only at this time, was throwing an unused parameter
warning for keeping the same prototype as the other readers.
Address by running the pointless test anyway as it has a negligible
cost, without diverging from standard reader calling conventions.
@sempervictus
Copy link
Author

sempervictus commented Nov 1, 2019

@ddpbsd: done.
Built locally with TARGET=agent, seeing a bunch o' other stuff, but not the warning you saw.

@ddpbsd
Copy link
Member

ddpbsd commented Nov 2, 2019

Sorry for the delay. That warning is gone. Thanks for pull request!

@ddpbsd ddpbsd merged commit f55bac0 into ossec:master Nov 2, 2019
@sempervictus
Copy link
Author

Thanks Dan, lets see if it eats cats now.
Any thoughts on syntactically wiring as multi-line:0?

@ddpbsd
Copy link
Member

ddpbsd commented Nov 2, 2019

I don't personally have a preference. I think the current implementation is more intuitive.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants