Class: Fluent::Plugin::Logplex

Inherits:

Parser

• Object
• Parser
• Fluent::Plugin::Logplex

Defined in:

lib/fluent/plugin/parser_logplex.rb

Constant Summary

HTTPS_REGEXP =

Parses syslog-formatted messages, framed using syslog TCP protocol octet counting framing method

1

tools.ietf.org/html/rfc5424#section-6

2

tools.ietf.org/html/rfc6587#section-3.4.1

/^([0-9]+)\s+\<(?<pri>[0-9]+)\>[0-9]* (?<time>[^ ]*) (?<drain_id>[^ ]*) (?<ident>[a-zA-Z0-9_\/\.\-]*) (?<pid>[a-zA-Z0-9\.]+)? *- *(?<message>.*)$/

FACILITY_MAP =

Fluent::Plugin::SyslogInput::FACILITY_MAP

PRIORITY_MAP =

Constant was renamed in 1.7.3.

if Gem::Version.new(Fluent::VERSION) >= Gem::Version.new('1.7.3')
  Fluent::Plugin::SyslogInput::SEVERITY_MAP
else
  Fluent::Plugin::SyslogInput::PRIORITY_MAP
end

FACILITY_SHIFT =

tools.ietf.org/html/rfc5424#section-6.2.1 describes FACILITY as multiplied by 8 (3 bits), so this is used to shift the values to calculate FACILITY from PRIVAL.

3

PRIORITY_MASK =

Priority is the remainder after removing FACILITY from PRI, so it is calculated by bitwise AND to remove the FACILITY value.

0b111

Instance Method Summary

• #parse(text) {|nil, records| ... } ⇒ Object

Instance Method Details

#parse(text) {|nil, records| ... } ⇒ Object

Yields:

• (nil, records)

# File 'lib/fluent/plugin/parser_logplex.rb', line 31

def parse(text)
  expression = HTTPS_REGEXP

  records =
    text.split("\n").map do |line|
      m = line.match(expression)

      m.names.each_with_object({}) do |name, record|
        record[name] = m[name]

        # Process 'pri' field
        next unless name == 'pri'
        pri = m[name].to_i
        record['pri'] = pri
        # Split PRIVAL into Facility and Severity
        record['facility'] = FACILITY_MAP[pri >> FACILITY_SHIFT]
        record['priority'] = PRIORITY_MAP[pri & PRIORITY_MASK]
      end
    end

  records.each { |record| record.delete('pri') }
  yield nil, records
end