syslog-0.1.0.0: Decode RFC 3164 and RFC 5424 syslog message formats
Safe HaskellSafe-Inferred
LanguageHaskell2010

Syslog.Bsd

Description

Parse RFC 3164 messages. For example:

<133>Feb 25 14:09:07 webserver syslogd: restart
<0>Oct 22 10:52:01 scapegoat.dmz.example.org sched[0]: That's All Folks!

This library assumes that the TAG field described by section 5.3 of RFC 3164 is a process name. It also assumes that the optional bracketed number that follows it is a process id. This library also addresses three common extensions to RFC 3164:

  • Some vendors include a year after the timestamp. For example: 14Oct 15 11:14:59 2019 example.com .... When present, the year is parsed and provided to the user.
  • Some vendors include a priority that preceeds the process name. For example: 133Aug 10 09:05:14 my-host notice tmsh[4726]: .... The Linux man page for syslog.conf lists these options for priority: debug, info, notice, warning, warn, err, error, crit, alert, emerg, panic. If a process name begins with any of these keywords (followed by a space), the keyword and the trailing space are removed from the process name, and the keyword is made available in the priority field.
  • Cisco ASAs omit the hostname sometimes. This is totally bizarre and leads to messages that looks like: 190Jun 08 2022 14:46:28: message. In this case, the hostname is set to the empty string.
Synopsis

Types

data Message Source #

Constructors

Message 

Fields

Instances

Instances details
Show Message Source # 
Instance details

Defined in Syslog.Bsd

Methods

showsPrec :: Int -> Message -> ShowS #

show :: Message -> String #

showList :: [Message] -> ShowS #

data Process Source #

Constructors

Process 

Fields

Instances

Instances details
Show Process Source # 
Instance details

Defined in Syslog.Bsd

Methods

showsPrec :: Int -> Process -> ShowS #

show :: Process -> String #

showList :: [Process] -> ShowS #

data Timestamp Source #

Constructors

Timestamp 

Fields

  • month :: !Month
     
  • day :: !DayOfMonth
     
  • hour :: !Word8
     
  • minute :: !Word8
     
  • second :: !Word8
     
  • year :: !Maybe

    Section 5.1 of RFC 3164 notes that some software appends a four-character year after the time of day. Since hostnames cannot start with digits, we can parse this unambiguously. We extend RFC 3164 to handle these nonstandard years.

Instances

Instances details
Show Timestamp Source # 
Instance details

Defined in Syslog.Bsd

Methods

showsPrec :: Int -> Timestamp -> ShowS #

show :: Timestamp -> String #

showList :: [Timestamp] -> ShowS #

Full Decode

decode :: Bytes -> Maybe Message Source #

Run the RFC 3164 parser. See parser.

parser :: Parser () s Message Source #

Parse a RFC 3164 message. Note that this is just takePriority, takeTimestamp, takeHostname, and takeProcess@ called in sequence, followed by skipping whitespace and then treating the remaining input as the original message.

Parsing Fragments

takePriority :: e -> Parser e s Word32 Source #

Consume the angle-bracketed priority. RFC 3164 does not allow a space to follow the priority, so this does not consume a trailing space.

takeTimestamp :: e -> Parser e s Timestamp Source #

Consume the timestamp and the trailing space character if a trailing space exists. Returns the parsed timestamp. This allows two extensions to the RFC 3164 datetime format. The year may be present either right after the day of the month or after the time of day.

takeHostname :: e -> Parser e s Bytes Source #

Consume the hostname and the space that follows it. Returns the hostname.

takeProcess :: e -> Parser e s Process Source #

Take the process name and the process id and consume the colon that follows them. Does not consume any space after the colon.