[receiver/syslog] rfc6587 is overwritting each parsed event

[timannguyen]

Component(s)

receiver/syslog

What happened?

Description

syslog receiver is incorrectly breaking RFC6587 events. currently it's using influxdata syslog parser where each event is correctly parsed https://github.com/influxdata/go-syslog/blob/develop/octetcounting/parser.go#L124-L132. However, the parsed object is getting overridden each time https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/pkg/stanza/operator/parser/syslog/syslog.go#L316-L319. It is expected that the octet parser to return all parsed events rather than just the last.

Steps to Reproduce

when sending 4 events of the following with framing to the syslog receiver:

79 <6>1 2023-06-20T12:25:03-04:00 testEvent functional-test 65644 test - testEvent

it would be bundled to a single event without the newline:

79 <6>1 2023-06-20T12:25:03-04:00 testEvent functional-test 65644 test - testEvent
79 <6>1 2023-06-20T12:25:03-04:00 testEvent functional-test 65644 test - testEvent
79 <6>1 2023-06-20T12:25:03-04:00 testEvent functional-test 65644 test - testEvent
79 <6>1 2023-06-20T12:25:03-04:00 testEvent functional-test 65644 test - testEvent

Expected Result

it would expected there would be 4 events of

79 <6>1 2023-06-20T12:25:03-04:00 testEvent functional-test 65644 test - testEvent

Actual Result

one event of:

79 <6>1 2023-06-20T12:25:03-04:00 testEvent functional-test 65644 test - testEvent79 <6>1 2023-06-20T12:25:03-04:00 testEvent functional-test 65644 test - testEvent79 <6>1 2023-06-20T12:25:03-04:00 testEvent functional-test 65644 test - testEvent79 <6>1 2023-06-20T12:25:03-04:00 testEvent functional-test 65644 test - testEvent

Collector version

0.74.0

Environment information

Environment

OS: MAC OS, Ubuntu 22.04

OpenTelemetry Collector configuration

receivers:
  syslog/default: 
    enable_octet_counting: true
    protocol: rfc5424,
    tcp: 
      listen_address: 0.0.0.0:9998

Log output

No response

Additional context

No response

[github-actions]

Pinging code owners:

• receiver/syslog: @djaglowski

See Adding Labels via Comments if you do not have permissions to add labels yourself.

[djaglowski]

@timannguyen, thanks for reporting this. Will you be able to make a pull request for it?

[timannguyen]

@djaglowski i will. thank you for checking.

[timannguyen]

@djaglowski would adding something like adding in ParserOperator:

ProcessMultiEventsWithCallback(same args as ProcessWithCallback)
  entries, err := ParseWithMultiEvents(args)
  for entry in entries
     write(entry)

ParseWithMultiEvents(same arg as ParseWith) ([]entry.entry, err)

i will refactor other funcs to ensure minimal duplication. if that is sensible, i'll move forward with that.

cc: @splunkericl

[djaglowski]

@timannguyen I don't have an understanding of the failure mechanism yet so can't say what a good solution looks like. I recommend a minimal solution be proposed and then we can refactor to reduce duplication if it looks good.

[github-actions]

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

Pinging code owners:

• receiver/syslog: @djaglowski

See Adding Labels via Comments if you do not have permissions to add labels yourself.

[djaglowski]

Closed by #23645