From ea2119ea56994f24ec3e761abaafd4f3ef5d3914 Mon Sep 17 00:00:00 2001
From: Andre Lorbach <alorbach@adiscon.com>
Date: Mon, 28 Apr 2008 16:23:57 +0200
Subject: [PATCH 1/2] Fixed bug in logstreamlineparsersyslog.class which failed
 to parse some rsyslog loglines.

In rsyslog v3 we have the timezone within the timestamp. The regex rules with the
logstreamlineparsersyslog were not working on negativ timezones.
---
 src/classes/logstreamlineparsersyslog.class.php | 6 +++---
 src/samplelogs/syslog                           | 6 ++++++
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/classes/logstreamlineparsersyslog.class.php b/src/classes/logstreamlineparsersyslog.class.php
index 9c7d1b7..718a35b 100644
--- a/src/classes/logstreamlineparsersyslog.class.php
+++ b/src/classes/logstreamlineparsersyslog.class.php
@@ -91,7 +91,7 @@ class LogStreamLineParsersyslog extends LogStreamLineParser {
 			$arrArguments[SYSLOG_MESSAGE] = $out[3];
 		}
 		// Sample (RSyslog): 2008-03-28T11:07:40+01:00 localhost rger: test 1
-		else if ( preg_match("/([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}\+[0-9]{1,2}:[0-9]{1,2}) (.*?) (.*?):(.*?)$/", $szLine, $out ) )
+		else if ( preg_match("/([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}.[0-9]{1,2}:[0-9]{1,2}) (.*?) (.*?):(.*?)$/", $szLine, $out ) )
 		{
 			// Copy parsed properties!
 			$arrArguments[SYSLOG_DATE] = GetEventTime($out[1]);
@@ -100,7 +100,7 @@ class LogStreamLineParsersyslog extends LogStreamLineParser {
 			$arrArguments[SYSLOG_MESSAGE] = $out[4];
 		}
 		// Sample (RSyslog): 2008-03-28T11:07:40.591633+01:00 localhost rger: test 1
-		else if ( preg_match("/([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}\.[0-9]{1,6}\+[0-9]{1,2}:[0-9]{1,2}) (.*?) (.*?):(.*?)$/", $szLine, $out ) )
+		else if ( preg_match("/([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}\.[0-9]{1,6}.[0-9]{1,2}:[0-9]{1,2}) (.*?) (.*?):(.*?)$/", $szLine, $out ) )
 		{
 			// Copy parsed properties!
 			$arrArguments[SYSLOG_DATE] = GetEventTime($out[1]);
@@ -109,7 +109,7 @@ class LogStreamLineParsersyslog extends LogStreamLineParser {
 			$arrArguments[SYSLOG_MESSAGE] = $out[4];
 		}
 		// Sample: 2008-03-28T15:17:05.480876+01:00,**NO MATCH**
-		else if ( preg_match("/([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}\.[0-9]{1,6}\+[0-9]{1,2}:[0-9]{1,2}),(.*?)$/", $szLine, $out ) )
+		else if ( preg_match("/([0-9]{4,4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}\.[0-9]{1,6}.[0-9]{1,2}:[0-9]{1,2}),(.*?)$/", $szLine, $out ) )
 		{
 			// Some kind of debug message or something ...
 			$arrArguments[SYSLOG_DATE] = GetEventTime($out[1]);
diff --git a/src/samplelogs/syslog b/src/samplelogs/syslog
index 6fca8a9..177435a 100644
--- a/src/samplelogs/syslog
+++ b/src/samplelogs/syslog
@@ -1,3 +1,9 @@
+2008-04-27T04:02:27-04:00 cmpsvr kernel: imklog 3.14.2, log source = /proc/kmsg started.
+2008-04-27T04:02:27-04:00 cmpsvr kernel: Inspecting /boot/System.map-2.6.9-55.0.2.EL
+2008-04-27T04:02:28-04:00 cmpsvr kernel: Loaded 24080 symbols from /boot/System.map-2.6.9-55.0.2.EL.
+2008-04-27T04:02:28-04:00 cmpsvr kernel: Symbols match kernel version 2.6.9.
+2008-04-27T04:02:42-04:00 cmpsvr kernel: Loaded 9698 symbols from 28 modules.
+2008-04-27T04:02:42.992883-04:00 cmpsvr rsyslogd: [origin software="rsyslogd" swVersion="3.14.2" x-pid="1554" x-info="http://www.rsyslog.com"] restart
 Mar 10 14:45:39 debandre syslogd 1.4.1#18: restart.
 Mar 10 14:45:44 debandre anacron[3226]: Job `cron.daily' terminated (mailing output)
 Mar 10 14:45:45 debandre anacron[3226]: Normal exit (1 job run)

From 15f4b48faf616fe94c9dfd4e7c141d7062a32a0c Mon Sep 17 00:00:00 2001
From: Andre Lorbach <alorbach@adiscon.com>
Date: Mon, 28 Apr 2008 16:25:54 +0200
Subject: [PATCH 2/2] restored syslog samplelog which is going to be removed
 anyway.

---
 src/samplelogs/syslog | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/src/samplelogs/syslog b/src/samplelogs/syslog
index 177435a..6fca8a9 100644
--- a/src/samplelogs/syslog
+++ b/src/samplelogs/syslog
@@ -1,9 +1,3 @@
-2008-04-27T04:02:27-04:00 cmpsvr kernel: imklog 3.14.2, log source = /proc/kmsg started.
-2008-04-27T04:02:27-04:00 cmpsvr kernel: Inspecting /boot/System.map-2.6.9-55.0.2.EL
-2008-04-27T04:02:28-04:00 cmpsvr kernel: Loaded 24080 symbols from /boot/System.map-2.6.9-55.0.2.EL.
-2008-04-27T04:02:28-04:00 cmpsvr kernel: Symbols match kernel version 2.6.9.
-2008-04-27T04:02:42-04:00 cmpsvr kernel: Loaded 9698 symbols from 28 modules.
-2008-04-27T04:02:42.992883-04:00 cmpsvr rsyslogd: [origin software="rsyslogd" swVersion="3.14.2" x-pid="1554" x-info="http://www.rsyslog.com"] restart
 Mar 10 14:45:39 debandre syslogd 1.4.1#18: restart.
 Mar 10 14:45:44 debandre anacron[3226]: Job `cron.daily' terminated (mailing output)
 Mar 10 14:45:45 debandre anacron[3226]: Normal exit (1 job run)