Implement multi-line collection for indented logs#1780
Merged
ddpbsd merged 3 commits intoossec:masterfrom Nov 2, 2019
Merged
Conversation
sempervictus
force-pushed
the
feature/reader_multi-line_indented
branch
from
343ec2f to
10a3a2f
Compare
Multiple logging implementations utilize tabs or spaces to prefix lines following the top, unindented line starting the entry. The existing multi-line approach does not deal well with variable log lengths using these indented sub-entries as it extracts lines by count, not content. This commit implements a modified postgresql log reader as a generic multi-line parser sending the current buffer downstream when it starts a new log entry (line does not start with ' ' or '\t'), or encounters an empty line.
sempervictus
force-pushed
the
feature/reader_multi-line_indented
branch
from
10a3a2f to
ba5f4e8
Compare
Author
|
ping @atomicturtle @ddpbsd - could you guys please take a peek @ this? Also thinking for the actual config, we could use |
ddpbsd
reviewed
Oct 21, 2019
Thanks for catching this @ddpbsd - the drop_it param, used by Windows readers only at this time, was throwing an unused parameter warning for keeping the same prototype as the other readers. Address by running the pointless test anyway as it has a negligible cost, without diverging from standard reader calling conventions.
Author
|
@ddpbsd: done. |
Member
|
Sorry for the delay. That warning is gone. Thanks for pull request! |
Author
|
Thanks Dan, lets see if it eats cats now. |
Member
|
I don't personally have a preference. I think the current implementation is more intuitive. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Multiple logging implementations utilize tabs or spaces to prefix
lines following the top, inindented line starting the entry. The
existing multi-line approach does not deal well with variable log
lengths using these indented sub-entries as it extracts lines by
count, not content.
This commit implements a modified postgresql log reader as a
generic multi-line parser sending the current buffer downstream
when it starts a new log entry (line does not start with ' ' or
'\t'), or encounters an empty line.