On Tue, Feb 27, 2024 at 08:50:48AM +0000, Richard Lewis wrote:
> thanks - agree logcheck should cope with a default rsyslog output. ... i
> just dont know what that default output is: does the below mean the
> subseconds are now always present?
>
> or: what regexp should logcheck use as prefix?
According to RFC 3339 everything from no subseconds to 6 subsecond
digits can be present (which is seven chars including the decimal dot).
So far (in the wild) I've seen only the two variants with no subseconds
or with 6 subsecond digits. But anything between these is possible.
I've already suggested to modify the regex for the timestamp part from
^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32})
to
^(\w{3} [ :0-9]{11}|[0-9T:.+-]{25,32})
That would match the two extremes (with/without sub-seconds) but would
also cope with anything in between (which is legal according to the
RFCs). The first part would continue to match the "traditional" syslog
format. This is also in wide use today.
Thanks
Ralf
--
Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16
Open Source Consulting www: www.runtux.com
Reichergasse 131, A-3411 Weidling email: off...@runtux.com
