Merge pull request #83 from axoflow/misc-flag-fixes

Misc flag fixes

content/chapter-encrypted-transport-tls/tlsoptions/_index.md

@@ -372,9 +372,9 @@ To find the fingerprint of a certificate, you can use the following command: `op
 
 When using the `trusted-keys()` and `trusted-dn()` parameters, note the following:
 
-  - First, the `trusted-keys()` parameter is checked. If the fingerprint of the peer is listed, the certificate validation is performed.
-
-  - If the fingerprint of the peer is not listed in the `trusted-keys()` parameter, the `trusted-dn()` parameter is checked. If the DN of the peer is not listed in the `trusted-dn()` parameter, the authentication of the peer fails and the connection is closed.
+- First, the `trusted-keys()` parameter is checked. If the fingerprint of the peer is listed, the certificate validation is performed.
+- If the fingerprint of the peer is not listed in the `trusted-keys()` parameter, the `trusted-dn()` parameter is checked. If the DN of the peer is not listed in the `trusted-dn()` parameter, the authentication of the peer fails and the connection is closed.
 
 {{% /alert %}}
 
+Starting with version 4.8.1, if `trusted-keys()` is set, {{% param "product.abbrev" %}} automatically adds the key fingerprint of the peer to the `${.tls.x509_fp}` name-value pair.

content/chapter-manipulating-messages/customizing-message-format/reference-macros/_index.md

@@ -232,6 +232,17 @@ The `${MSG}` macro is an alias of the `${MESSAGE}` macro, using `${MSG}` in {{%
 
 {{% include-headless "chunk/macro-msghdr.md" %}}
 
+## MSGFORMAT {#macro-msgformat}
+
+Available in {{% param "product.abbrev" %}} version 4.8.1 and later.
+
+*Description:* Stores the original format of the incoming message. Possible values:
+
+- `linux:devkmsg`: Linux kernel message.
+- `linux:pacct`: [Linux process accounting log]({{< relref "/chapter-sources/source-pacct/_index.md" >}}) format.
+- `raw`: {{% param "product.abbrev" %}} didn't parse the message, for example, because the `no-parse` flag was set.
+- `syslog:rfc3164`: Syslog message formatted as RFC3164.
+- `syslog:rfc5424`: Syslog message formatted as RFC5424.
 
 ## MSGID {#macro-msgid}
 
@@ -439,13 +450,10 @@ Available in {{% param "product.abbrev" %}} version 4.5 and later.
 
 *Description:* When using a transport that uses TLS, these macros contain information about the peer's certificate. That way, you can use information from the client certificate in filenames, database values, or as other metadata. If you clients have their own certificates, then these values are unique per client, but unchangeable by the client. The following macros are available in {{% param "product.abbrev" %}} version 3.9 and later.
 
-  - `.tls.x509_cn`: The Common Name of the certificate.
-
-  - `.tls.x509_o`: The value of the Organization field.
-
-  - `.tls.x509_ou`: The value of the Organization Unit field.
-
-
+- `.tls.x509_cn`: The Common Name of the certificate.
+- `.tls.x509_o`: The value of the Organization field.
+- `.tls.x509_ou`: The value of the Organization Unit field.
+- `.tls.x509_fp`: The key fingerprint of the peer, if the [`trusted-keys()` option]({{< relref "/chapter-encrypted-transport-tls/tlsoptions/_index.md#tls-options-trusted-keys" >}}) is used. Available in version 4.8.1 and later.
 
 ## UNIQID {#macro-uniqid}
 

content/chapter-parsers/parser-syslog/parser-syslog-options/_index.md

@@ -14,7 +14,12 @@ The `syslog-parser()` has the following options:
 
 {{< include-headless "chunk/option-source-flags.md" >}}
 
-For the `syslog-parser()` you can also set the `check-hostname` flag, which is equivalent with the [`check-hostname()` global option]({{< relref "/chapter-global-options/reference-options/_index.md#global-option-check-hostname" >}}), but only applies to this parser.
+For the `syslog-parser()` you can also set the following flags:
+
+- `check-hostname`: Equivalent with the [`check-hostname()` global option]({{< relref "/chapter-global-options/reference-options/_index.md#global-option-check-hostname" >}}), but only applies to this parser.
+- `no-piggyback-errors`: Do not attribute the message to {{< product >}} in case of errors. Things already processed or extracted are retained, for example: `${MESSAGE}` retains its value (potentially the raw message), other macros like `${HOST}`, `${PROGRAM}`, or `${PID}` may or may not be extracted. The error is indicated by setting `${MSGFORMAT}` set to "syslog:error".
+
+    Available in {{< product >}} 4.8.1 and later.
 
 ## sdata-prefix()
 

content/headless/chunk/option-source-flags.md

@@ -6,13 +6,13 @@
 
 |          |       |
 | -------- | ----- |
-| Type:    | assume-utf8, empty-lines, expect-hostname, kernel, no-hostname, no-multi-line, no-parse, sanitize-utf8, store-legacy-msghdr, store-raw-message, syslog-protocol, validate-utf8 |
+| Type:    | assume-utf8, dont-store-legacy-msghdr, empty-lines, expect-hostname, kernel, no-hostname, no-multi-line, no-parse, sanitize-utf8, store-legacy-msghdr, store-raw-message, syslog-protocol, validate-utf8 |
 | Default: | empty set |
 
 *Description:* Specifies the log parsing options of the source.
 
 - *assume-utf8*: The `assume-utf8` flag assumes that the incoming messages are UTF-8 encoded, but does not verify the encoding. If you explicitly want to validate the UTF-8 encoding of the incoming message, use the `validate-utf8` flag.
-- *dont-store-legacy-msghdr*: By default, AxoSyslog stores the original incoming header of the log message. This is useful if the original format of a non-syslog-compliant message must be retained (AxoSyslog automatically corrects minor header errors, for example, adds a whitespace before `msg` in the following message: `Jan 22 10:06:11 host program:msg`). If you do not want to store the original header of the message, enable the `dont-store-legacy-msghdr` flag.
+- *dont-store-legacy-msghdr*: By default, {{< product >}} stores the original incoming header of the log message. This is useful if the original format of a non-syslog-compliant message must be retained ({{< product >}} automatically corrects minor header errors, for example, adds a whitespace before `msg` in the following message: `Jan 22 10:06:11 host program:msg`). If you do not want to store the original header of the message, enable the `dont-store-legacy-msghdr` flag.
 - *empty-lines*: Use the `empty-lines` flag to keep the empty lines of the messages. By default, {{% param "product.abbrev" %}} removes empty lines automatically.
 - *exit-on-eof*: If this flag is set on a source, {{< product >}} stops when an EOF (end of file) is received. Available in version 4.9 and later.
 - *expect-hostname*: If the `expect-hostname` flag is enabled, {{% param "product.abbrev" %}} will assume that the log message contains a hostname and parse the message accordingly. This is the default behavior for TCP sources. Note that pipe sources use the `no-hostname` flag by default.
@@ -58,6 +58,7 @@ Essentially, the `no-header` flag signals {{% param "product.abbrev" %}} that th
 
     Prior to version 4.6, this flag worked only when parsing RFC3164 messages. Starting with version 4.6, it works also for RFC5424 and raw messages.
 
+- *store-legacy-msghdr*: By default, {{< product >}} stores the original incoming header of the log message, so this flag is active. To disable it, use the `dont-store-legacy-msghdr` flag.
 - *store-raw-message*: Save the original message as received from the client in the `${RAWMSG}` macro. You can forward this raw message in its original form to another AxoSyslog node using the [`syslog-ng()` destination]({{< relref "/chapter-destinations/destination-syslog-ng/_index.md" >}}), or to a SIEM system, ensuring that the SIEM can process it. Available only in 3.16 and later.
 - *syslog-protocol*: The `syslog-protocol` flag specifies that incoming messages are expected to be formatted according to the new IETF syslog protocol standard (RFC5424), but without the frame header. Note that this flag is not needed for the `syslog` driver, which handles only messages that have a frame header.