A system may include of one or more computers (including a syslog server) connected to a plurality of devices (e.g., printers, scanners, modems, etc.). As the devices communicate among themselves, the syslog server continuously receives incoming syslog messages. As discussed herein, syslog messages (such as those defined in “Request for Comments (RFC) 3164: The BSD Syslog Protocol”) are small textual messages sent by a plurality of devices. The small textual messages may relay a variety of information (e.g., log data) to a central repository such as a syslog server.
There may be multiple ways of handling incoming syslog messages. The syslog message may, for example, handle incoming syslog messages using a buffer. A buffer allows for temporary storage of syslog messages while the syslog messages are waiting to be processed. However, a buffer is generally limited in size and may not be able to handle bursts of syslog messages. For example, during a period when a high volume of syslog messages may be received, the buffer may reach its capacity and may be unable to handle additional incoming syslog messages. The overflowing syslog messages may be dropped and consequently, never get processed by the syslog server.
One type of syslog messages that may require immediate handling is a critical syslog message. As discussed herein, a critical syslog message is a syslog message that may require the system to perform error handling. In the prior art, there is no differentiation between critical syslog messages and non-critical syslog messages. Thus, critical syslog messages are generally processed similarly to non-critical syslog messages. Since critical syslog messages are handled in the same manner as non-critical syslog messages, an incoming syslog message may be queued behind non-critical syslog messages. Accordingly, the handling of the critical syslog message may be delayed. In the case of buffer overflow, the critical syslog message may even be dropped.
The syslog server may also handle incoming syslog messages by creating a thread to handle each syslog message. A disadvantage to this method is that a large number of threads may be running at the same time if there is a burst of syslog messages. Consequently, a large number of threads being active at the same time may result in an excessive resource drain against the system.
Prior to being accepted and processed by a syslog server, each incoming syslog message is checked for validity. Syslog messages are checked for validity because, for example, a malformed syslog message can be detrimental to the system, such as compromising system security. Parsing is a method currently employed to validate syslog messages.
The incoming syslog messages are checked using a parsing algorithm (such as a sequential parsing algorithm). As discussed herein, parsing refers to the process of splitting up a continuous stream of characters. The codes used to implement parsing may be long and complex depending upon the programming language that may have been used to write the codes. Since each computer system may use a different programming language, different versions of the codes in different languages may have to be programmed to perform parsing. Note that if any part of the syslog message is considered invalid, then the syslog server may stop the sequential parsing process and discard the syslog message that is currently being verified.
As discussed, there existed different methods for handling incoming syslog messages. Some methods may result in syslog messages being dropped. Other methods may cause a drain in the system resources. Regardless of the methods, the prior art handling of critical syslog messages may be delayed or the critical syslog messages may be dropped because the critical syslog messages are not queued and/or handled differently from other non-critical messages.
Timely handling of syslog messages is further hindered by the parsing algorithm that is commonly employed to analyze the validity of each syslog message. The parsing algorithm is inefficient because parsing generally requires the syslog server to analyze each field in an orderly manner. Additionally, codes for the parsing algorithm can become long and complicated. Hence, changes in the RFC 3164 standards or in the programming language can result in extensive code changes. Further, the parsing algorithm may be written in a programming language that is specific to a platform and may not be easily portable to another platform without incurring significant cost to rewrite the codes.