From 5bfa615b3371931c8ee33b90e0e1edb50d2ca3a6 Mon Sep 17 00:00:00 2001
From: Andre Lorbach <alorbach@adiscon.com>
Date: Wed, 27 Aug 2008 13:17:38 +0200
Subject: [PATCH] Fixed regex rules in syslog message parser

Non RFC 3164 syslog messages are correctly processed now.
---
 src/classes/logstreamlineparsersyslog.class.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/classes/logstreamlineparsersyslog.class.php b/src/classes/logstreamlineparsersyslog.class.php
index 60b85f1..275e069 100644
--- a/src/classes/logstreamlineparsersyslog.class.php
+++ b/src/classes/logstreamlineparsersyslog.class.php
@@ -64,7 +64,7 @@ class LogStreamLineParsersyslog extends LogStreamLineParser {
 		$arrArguments[SYSLOG_MESSAGETYPE] = IUT_Syslog;
 
 		// Sample (Syslog): Mar 10 14:45:44 debandre anacron[3226]: Job `cron.daily' terminated (mailing output)
-		if ( preg_match("/(...)(?:.|..)([0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}) (.*?) (.*?)\[(.*?)\]:(.*?)$/", $szLine, $out ) )
+		if ( preg_match("/(...)(?:.|..)([0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}) ([a-zA-Z0-9_\-\.]{1,256}) ([A-Za-z0-9_\-\/\.]{1,32})\[(.*?)\]:(.*?)$/", $szLine, $out ) )
 		{
 			// Copy parsed properties!
 			$arrArguments[SYSLOG_DATE] = GetEventTime($out[1] . " " . $out[2]);
@@ -73,8 +73,8 @@ class LogStreamLineParsersyslog extends LogStreamLineParser {
 			$arrArguments[SYSLOG_PROCESSID] = $out[5];
 			$arrArguments[SYSLOG_MESSAGE] = $out[6];
 		}
-		// Sample (Syslog): Mar 10 14:45:39 debandre syslogd 1.4.1#18: restart.
-		else if ( preg_match("/(...)(?:.|..)([0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}) (.*?) (.*?):(.*?)$/", $szLine, $out ) )
+		// Sample (Syslog): Mar 10 14:45:39 debandre syslogd 1.4.1#18: restart. ([A-Za-z0-9_\/]{1,32})
+		else if ( preg_match("/(...)(?:.|..)([0-9]{1,2} [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}) ([a-zA-Z0-9_\-\.]{1,256}) ([A-Za-z0-9_\-\/\.]{1,32}):(.*?)$/", $szLine, $out ) )
 		{
 			// Copy parsed properties!
 			$arrArguments[SYSLOG_DATE] = GetEventTime($out[1] . " " . $out[2]);