Skip to content

Commit

Permalink
libbeat/reader/syslog: relax timestamp parsing to allow leading zero (#…
Browse files Browse the repository at this point in the history
…31254)

This change relaxes the RFC3164 timestamp grammar to allow dates with a leading
zero to be parsed as valid syslog timestamps, bringing the parser's behaviour into
line with the parser in filebeat/input/syslog.
  • Loading branch information
efd6 authored Apr 15, 2022
1 parent c212c56 commit e1a7f6d
Show file tree
Hide file tree
Showing 5 changed files with 30 additions and 11 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...main[Check the HEAD dif
- Add cronjob metadata by default {pull}30637[30637]
- New option `setup.template.json.data_stream` is added to indicate if the JSON index template is a data stream. {pull}31048[31048]
- Add support for port mapping in docker hints. {pull}31243[31243]
- Relax timestamp syntax for RFC3164 syslog to allow leading zero on day. {issue}16824[16824] {pull}31254[31254]

*Auditbeat*

Expand Down
5 changes: 5 additions & 0 deletions libbeat/reader/syslog/docs/syslog.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -40,13 +40,18 @@ filebeat.inputs:
The RFC 3164 format accepts the following forms of timestamps:

* Local timestamp (`Mmm dd hh:mm:ss`):
** `Jan 3 14:09:01`
** `Jan 03 14:09:01`
** `Jan 23 14:09:01`
* RFC-3339*:
** `2003-10-11T22:14:15Z`
** `2003-10-11T22:14:15.123456Z`
** `2003-10-11T22:14:15-06:00`
** `2003-10-11T22:14:15.123456-06:00`

As an extension to RFC 3164, dates with a day that has a leading zero are allowed. For
example, `Feb 08 08:59:59` is accepted as well as the RFC-compliant `Feb 8 08:59:59`.

*Note*: The local timestamp (for example, `Jan 23 14:09:01`) that accompanies an
RFC 3164 message lacks year and time zone information. The time zone will be enriched
using the `timezone` configuration option, and the year will be enriched using the
Expand Down
2 changes: 1 addition & 1 deletion libbeat/reader/syslog/parser/common.rl
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@

# Timestamp
timestamp_rfc3339 = (ts_yyyymmdd 'T' ts_hhmmss ('.' digit{1,6})? ts_offset) >tok %set_timestamp_rfc3339 $err(err_timestamp);
timestamp_bsd = (month_str . sp . day_nopad . sp . ts_hhmmss) >tok %set_timestamp_bsd $err(err_timestamp);
timestamp_bsd = (month_str . sp . (day_nopad|day) . sp . ts_hhmmss) >tok %set_timestamp_bsd $err(err_timestamp);

# Hostname
hostname_range = graph{1,255};
Expand Down
22 changes: 12 additions & 10 deletions libbeat/reader/syslog/rfc3164_gen.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

11 changes: 11 additions & 0 deletions libbeat/reader/syslog/rfc3164_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,17 @@ var parseRFC3164Cases = map[string]struct {
msg: "this is the message",
},
},
"non-standard-date": {
In: "<123>Sep 01 02:03:04 hostname message",
Want: message{
timestamp: mustParseTimeLoc(time.Stamp, "Sep 1 02:03:04", time.Local),
priority: 123,
facility: 15,
severity: 3,
hostname: "hostname",
msg: "message",
},
},
"err-pri-not-a-number": {
In: "<abc>Oct 11 22:14:15 test-host this is the message",
WantErr: ErrPriority,
Expand Down

0 comments on commit e1a7f6d

Please sign in to comment.