From ecd273d59ab89c70355504b89445563e9a987812 Mon Sep 17 00:00:00 2001 From: Pier-Hugues Pellerin Date: Thu, 5 Mar 2020 08:27:52 -0500 Subject: [PATCH] Cherry-pick #10760 to 6.8: (#15980) Adding Cisco support for the Syslog parser * Adding Cisco support for the Syslog parser Add support for the "sequence" number in the log format send by Cisco switch devices. Fixes: #10654, #15979 (cherry picked from commit dd92b6f887c18c40932969d9430be9d54d7f6903) Co-authored-by: Pier-Hugues Pellerin --- CHANGELOG.next.asciidoc | 1 + filebeat/_meta/fields.common.yml | 6 + filebeat/docs/fields.asciidoc | 12 + filebeat/include/fields.go | 2 +- filebeat/input/syslog/event.go | 13 + filebeat/input/syslog/input.go | 5 + filebeat/input/syslog/input_test.go | 26 + filebeat/input/syslog/parser.go | 2259 +++++++++++++++-------- filebeat/input/syslog/parser.rl | 27 +- filebeat/input/syslog/parser_test.go | 109 ++ filebeat/input/syslog/syslog_rfc3164.rl | 11 +- 11 files changed, 1651 insertions(+), 820 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 3cdb3cf4cabf..8905f4ffc4c4 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -38,6 +38,7 @@ https://github.com/elastic/beats/compare/v6.8.0...6.8.1[Check the HEAD diff] *Filebeat* +- Add support for Cisco syslog format used by their switch. {pull}10760[10760] *Heartbeat* diff --git a/filebeat/_meta/fields.common.yml b/filebeat/_meta/fields.common.yml index 08b7d453eb38..9960a87d451a 100644 --- a/filebeat/_meta/fields.common.yml +++ b/filebeat/_meta/fields.common.yml @@ -60,6 +60,12 @@ description: > The Filebeat dataset that generated this event. + - name: event.sequence + type: long + required: false + description: > + The sequence number of this event. + - name: syslog.facility type: long required: false diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 9cd6df2fb743..947f76d45655 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -3299,6 +3299,18 @@ The Filebeat fileset that generated this event. The Filebeat dataset that generated this event. +-- + +*`event.sequence`*:: ++ +-- +type: long + +required: False + +The sequence number of this event. + + -- *`syslog.facility`*:: diff --git a/filebeat/include/fields.go b/filebeat/include/fields.go index 707d14ecccee..dd4b7174fdbb 100644 --- a/filebeat/include/fields.go +++ b/filebeat/include/fields.go @@ -31,5 +31,5 @@ func init() { // Asset returns asset data func Asset() string { - return "" + return "" } diff --git a/filebeat/input/syslog/event.go b/filebeat/input/syslog/event.go index 30c17bdef162..c5eccd6ea67f 100644 --- a/filebeat/input/syslog/event.go +++ b/filebeat/input/syslog/event.go @@ -71,6 +71,7 @@ type event struct { nanosecond int year int loc *time.Location + sequence int } // newEvent() return a new event. @@ -84,6 +85,7 @@ func newEvent() *event { minute: -1, second: -1, year: time.Now().Year(), + sequence: -1, } } @@ -269,6 +271,17 @@ func (s *event) HasPid() bool { return s.pid > 0 } +// SetSequence set the sequence number for this event. +func (s *event) SetSequence(b []byte) { + s.sequence = bytesToInt(b) +} + +// Sequence returns the sequence number of the event when defined, +// otherwise return -1. +func (s *event) Sequence() int { + return s.sequence +} + // SetNanoSecond sets the nanosecond. func (s *event) SetNanosecond(b []byte) { // We assume that we receive a byte array representing a nanosecond, this might not be diff --git a/filebeat/input/syslog/input.go b/filebeat/input/syslog/input.go index 1aeac3975216..7eef15e45d79 100644 --- a/filebeat/input/syslog/input.go +++ b/filebeat/input/syslog/input.go @@ -37,6 +37,7 @@ import ( // Parser is generated from a ragel state machine using the following command: //go:generate ragel -Z -G2 parser.rl -o parser.go +//go:generate go fmt parser.go // Severity and Facility are derived from the priority, theses are the human readable terms // defined in https://tools.ietf.org/html/rfc3164#section-4.1.1. @@ -251,6 +252,10 @@ func createEvent(ev *event, metadata inputsource.NetworkMetadata, timezone *time f["event"] = event f["process"] = process + if ev.Sequence() != -1 { + f["event.sequence"] = ev.Sequence() + } + return &beat.Event{ Timestamp: ev.Timestamp(timezone), Meta: common.MapStr{ diff --git a/filebeat/input/syslog/input_test.go b/filebeat/input/syslog/input_test.go index 939d06150cdd..e1857464803d 100644 --- a/filebeat/input/syslog/input_test.go +++ b/filebeat/input/syslog/input_test.go @@ -176,6 +176,32 @@ func TestProgram(t *testing.T) { }) } +func TestSequence(t *testing.T) { + t.Run("is set", func(t *testing.T) { + e := newEvent() + e.SetMessage([]byte("hello world")) + e.SetProgram([]byte("sudo")) + e.SetSequence([]byte("123")) + m := dummyMetadata() + event := createEvent(e, m, time.Local, logp.NewLogger("syslog")) + v, err := event.GetValue("event.sequence") + if !assert.NoError(t, err) { + return + } + assert.Equal(t, v, 123) + }) + + t.Run("is not set", func(t *testing.T) { + e := newEvent() + e.SetMessage([]byte("hello world")) + m := dummyMetadata() + event := createEvent(e, m, time.Local, logp.NewLogger("syslog")) + + _, err := event.GetValue("event.sequence") + assert.Error(t, err) + }) +} + func dummyMetadata() inputsource.NetworkMetadata { ip := "127.0.0.1" parsedIP := net.ParseIP(ip) diff --git a/filebeat/input/syslog/parser.go b/filebeat/input/syslog/parser.go index 7ffe5f73a033..16754a766f35 100644 --- a/filebeat/input/syslog/parser.go +++ b/filebeat/input/syslog/parser.go @@ -22,28 +22,30 @@ package syslog //line parser.go:8 const syslog_start int = 0 -const syslog_first_final int = 1 +const syslog_first_final int = 2 const syslog_error int = -1 const syslog_en_main int = 0 +const syslog_en_catch_all int = 1 //line parser.rl:9 +var ( + noDuplicates = []byte{'-', '.'} +) -// syslog -//<34>Oct 11 22:14:15 wopr su: 'su root' failed for foobar -//<13>Feb 5 17:32:18 10.0.0.99 Use the quad dmg. +// Parse parses Syslog events. func Parse(data []byte, event *event) { var p, cs int pe := len(data) tok := 0 eof := len(data) -//line parser.go:28 +//line parser.go:31 { cs = syslog_start } -//line parser.go:33 +//line parser.go:36 { if (p) == (pe) { goto _test_eof @@ -51,8 +53,6 @@ func Parse(data []byte, event *event) { switch cs { case 0: goto st_case_0 - case 1: - goto st_case_1 case 2: goto st_case_2 case 3: @@ -263,6 +263,36 @@ func Parse(data []byte, event *event) { goto st_case_105 case 106: goto st_case_106 + case 107: + goto st_case_107 + case 108: + goto st_case_108 + case 109: + goto st_case_109 + case 110: + goto st_case_110 + case 111: + goto st_case_111 + case 112: + goto st_case_112 + case 113: + goto st_case_113 + case 114: + goto st_case_114 + case 115: + goto st_case_115 + case 116: + goto st_case_116 + case 117: + goto st_case_117 + case 118: + goto st_case_118 + case 119: + goto st_case_119 + case 1: + goto st_case_1 + case 120: + goto st_case_120 } goto st_out st_case_0: @@ -291,19 +321,15 @@ func Parse(data []byte, event *event) { } goto tr0 tr0: -//line parser.rl:20 +//line parser.rl:22 tok = p - goto st1 - st1: - if (p)++; (p) == (pe) { - goto _test_eof1 - } - st_case_1: -//line parser.go:291 - goto st1 - tr1: -//line parser.rl:20 + goto st2 + tr75: +//line parser.rl:97 + event.SetSequence(data[tok:p]) + +//line parser.rl:22 tok = p goto st2 @@ -312,56 +338,68 @@ func Parse(data []byte, event *event) { goto _test_eof2 } st_case_2: -//line parser.go:304 - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st3 - } - goto st1 +//line parser.go:332 + goto st2 + tr1: +//line parser.rl:22 + tok = p + + goto st3 st3: if (p)++; (p) == (pe) { goto _test_eof3 } st_case_3: +//line parser.go:345 + if data[(p)] == 58 { + goto st48 + } if 48 <= data[(p)] && data[(p)] <= 57 { goto st4 } - goto st1 + goto st2 st4: if (p)++; (p) == (pe) { goto _test_eof4 } st_case_4: + if data[(p)] == 58 { + goto st48 + } if 48 <= data[(p)] && data[(p)] <= 57 { goto st5 } - goto st1 + goto st2 st5: if (p)++; (p) == (pe) { goto _test_eof5 } st_case_5: - if data[(p)] == 45 { - goto tr15 + if data[(p)] == 58 { + goto st48 } - goto st1 - tr15: -//line parser.rl:36 - event.SetYear(data[tok:p]) - - goto st6 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st6 + } + goto st2 st6: if (p)++; (p) == (pe) { goto _test_eof6 } st_case_6: -//line parser.go:347 + switch data[(p)] { + case 45: + goto tr17 + case 58: + goto st48 + } if 48 <= data[(p)] && data[(p)] <= 57 { - goto tr16 + goto st47 } - goto st1 - tr16: -//line parser.rl:20 - tok = p + goto st2 + tr17: +//line parser.rl:38 + event.SetYear(data[tok:p]) goto st7 st7: @@ -369,38 +407,38 @@ func Parse(data []byte, event *event) { goto _test_eof7 } st_case_7: -//line parser.go:363 +//line parser.go:403 if 48 <= data[(p)] && data[(p)] <= 57 { - goto st8 + goto tr19 } - goto st1 + goto st2 + tr19: +//line parser.rl:22 + tok = p + + goto st8 st8: if (p)++; (p) == (pe) { goto _test_eof8 } st_case_8: - if data[(p)] == 45 { - goto tr18 +//line parser.go:419 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st9 } - goto st1 - tr18: -//line parser.rl:40 - event.SetMonthNumeric(data[tok:p]) - - goto st9 + goto st2 st9: if (p)++; (p) == (pe) { goto _test_eof9 } st_case_9: -//line parser.go:388 - if 48 <= data[(p)] && data[(p)] <= 51 { - goto tr19 + if data[(p)] == 45 { + goto tr21 } - goto st1 - tr19: -//line parser.rl:20 - tok = p + goto st2 + tr21: +//line parser.rl:42 + event.SetMonthNumeric(data[tok:p]) goto st10 st10: @@ -408,88 +446,88 @@ func Parse(data []byte, event *event) { goto _test_eof10 } st_case_10: -//line parser.go:404 - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st11 +//line parser.go:444 + if 48 <= data[(p)] && data[(p)] <= 51 { + goto tr22 } - goto st1 + goto st2 + tr22: +//line parser.rl:22 + tok = p + + goto st11 st11: if (p)++; (p) == (pe) { goto _test_eof11 } st_case_11: +//line parser.go:460 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st12 + } + goto st2 + st12: + if (p)++; (p) == (pe) { + goto _test_eof12 + } + st_case_12: switch data[(p)] { case 32: - goto tr21 + goto tr24 case 84: - goto tr21 + goto tr24 case 116: - goto tr21 + goto tr24 } if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr21 + goto tr24 } - goto st1 - tr21: -//line parser.rl:44 + goto st2 + tr24: +//line parser.rl:46 event.SetDay(data[tok:p]) - goto st12 - st12: + goto st13 + st13: if (p)++; (p) == (pe) { - goto _test_eof12 + goto _test_eof13 } - st_case_12: -//line parser.go:437 + st_case_13: +//line parser.go:493 if data[(p)] == 50 { - goto tr23 + goto tr26 } if 48 <= data[(p)] && data[(p)] <= 49 { - goto tr22 + goto tr25 } - goto st1 - tr22: -//line parser.rl:20 + goto st2 + tr25: +//line parser.rl:22 tok = p - goto st13 - st13: - if (p)++; (p) == (pe) { - goto _test_eof13 - } - st_case_13: -//line parser.go:456 - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st14 - } - goto st1 + goto st14 st14: if (p)++; (p) == (pe) { goto _test_eof14 } st_case_14: - if data[(p)] == 58 { - goto tr25 +//line parser.go:512 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st15 } - goto st1 - tr25: -//line parser.rl:48 - event.SetHour(data[tok:p]) - - goto st15 + goto st2 st15: if (p)++; (p) == (pe) { goto _test_eof15 } st_case_15: -//line parser.go:481 - if 48 <= data[(p)] && data[(p)] <= 53 { - goto tr26 + if data[(p)] == 58 { + goto tr28 } - goto st1 - tr26: -//line parser.rl:20 - tok = p + goto st2 + tr28: +//line parser.rl:50 + event.SetHour(data[tok:p]) goto st16 st16: @@ -497,38 +535,38 @@ func Parse(data []byte, event *event) { goto _test_eof16 } st_case_16: -//line parser.go:497 - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st17 +//line parser.go:537 + if 48 <= data[(p)] && data[(p)] <= 53 { + goto tr29 } - goto st1 + goto st2 + tr29: +//line parser.rl:22 + tok = p + + goto st17 st17: if (p)++; (p) == (pe) { goto _test_eof17 } st_case_17: - if data[(p)] == 58 { - goto tr28 +//line parser.go:553 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st18 } - goto st1 - tr28: -//line parser.rl:52 - event.SetMinute(data[tok:p]) - - goto st18 + goto st2 st18: if (p)++; (p) == (pe) { goto _test_eof18 } st_case_18: -//line parser.go:522 - if 48 <= data[(p)] && data[(p)] <= 53 { - goto tr29 + if data[(p)] == 58 { + goto tr31 } - goto st1 - tr29: -//line parser.rl:20 - tok = p + goto st2 + tr31: +//line parser.rl:54 + event.SetMinute(data[tok:p]) goto st19 st19: @@ -536,94 +574,125 @@ func Parse(data []byte, event *event) { goto _test_eof19 } st_case_19: -//line parser.go:538 - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st20 +//line parser.go:578 + if 48 <= data[(p)] && data[(p)] <= 53 { + goto tr32 } - goto st1 + goto st2 + tr32: +//line parser.rl:22 + tok = p + + goto st20 st20: if (p)++; (p) == (pe) { goto _test_eof20 } st_case_20: +//line parser.go:594 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st21 + } + goto st2 + st21: + if (p)++; (p) == (pe) { + goto _test_eof21 + } + st_case_21: switch data[(p)] { case 32: - goto tr31 + goto tr34 case 43: - goto tr32 + goto tr35 case 45: - goto tr32 + goto tr35 case 46: - goto tr33 + goto tr36 + case 58: + goto tr37 case 90: - goto tr34 + goto tr38 case 122: - goto tr34 + goto tr38 } if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr31 + goto tr34 } - goto st1 - tr31: -//line parser.rl:56 + goto st2 + tr34: +//line parser.rl:58 event.SetSecond(data[tok:p]) - goto st21 - tr49: -//line parser.rl:76 + goto st22 + tr61: +//line parser.rl:93 event.SetTimeZone(data[tok:p]) - goto st21 - tr54: -//line parser.rl:60 + goto st22 + tr68: +//line parser.rl:62 event.SetNanosecond(data[tok:p]) - goto st21 - st21: - if (p)++; (p) == (pe) { - goto _test_eof21 - } - st_case_21: -//line parser.go:589 - switch { - case data[(p)] > 95: - if 97 <= data[(p)] && data[(p)] <= 122 { - goto tr35 - } - case data[(p)] >= 46: - goto tr35 - } - goto tr0 - tr35: -//line parser.rl:20 - tok = p - goto st22 st22: if (p)++; (p) == (pe) { goto _test_eof22 } st_case_22: -//line parser.go:610 - if data[(p)] == 32 { - goto tr36 +//line parser.go:647 + switch data[(p)] { + case 58: + goto tr41 + case 95: + goto tr39 } switch { - case data[(p)] < 46: - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr36 + case data[(p)] < 48: + if 45 <= data[(p)] && data[(p)] <= 46 { + goto tr39 } - case data[(p)] > 95: - if 97 <= data[(p)] && data[(p)] <= 122 { - goto st22 + case data[(p)] > 57: + switch { + case data[(p)] > 90: + if 97 <= data[(p)] && data[(p)] <= 122 { + goto tr40 + } + case data[(p)] >= 65: + goto tr40 } default: - goto st22 + goto tr40 + } + goto tr0 + tr39: +//line parser.rl:22 + tok = p + +//line parser.rl:70 + if p-1 > 0 { + for _, b := range noDuplicates { + if data[p] == b && data[p-1] == b { + p = tok - 1 + { + goto st1 + } + } + } + } + + goto st23 + tr42: +//line parser.rl:70 + if p-1 > 0 { + for _, b := range noDuplicates { + if data[p] == b && data[p-1] == b { + p = tok - 1 + { + goto st1 + } + } + } } - goto st1 - tr36: -//line parser.rl:64 - event.SetHostname(data[tok:p]) goto st23 st23: @@ -631,47 +700,102 @@ func Parse(data []byte, event *event) { goto _test_eof23 } st_case_23: -//line parser.go:638 +//line parser.go:707 switch data[(p)] { - case 32: - goto tr0 - case 91: - goto tr0 - case 93: - goto tr0 + case 58: + goto tr44 + case 95: + goto tr42 } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr0 + switch { + case data[(p)] < 48: + if 45 <= data[(p)] && data[(p)] <= 46 { + goto tr42 + } + case data[(p)] > 57: + switch { + case data[(p)] > 90: + if 97 <= data[(p)] && data[(p)] <= 122 { + goto tr43 + } + case data[(p)] >= 65: + goto tr43 + } + default: + goto tr43 } - goto tr38 - tr38: -//line parser.rl:20 + goto st2 + tr40: +//line parser.rl:22 tok = p +//line parser.rl:70 + if p-1 > 0 { + for _, b := range noDuplicates { + if data[p] == b && data[p-1] == b { + p = tok - 1 + { + goto st1 + } + } + } + } + + goto st24 + tr43: +//line parser.rl:70 + if p-1 > 0 { + for _, b := range noDuplicates { + if data[p] == b && data[p-1] == b { + p = tok - 1 + { + goto st1 + } + } + } + } + goto st24 st24: if (p)++; (p) == (pe) { goto _test_eof24 } st_case_24: -//line parser.go:662 +//line parser.go:767 switch data[(p)] { case 32: - goto st1 + goto tr45 case 58: - goto tr40 - case 91: - goto tr41 - case 93: - goto st1 + goto tr46 + case 95: + goto tr42 } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto st1 + switch { + case data[(p)] < 48: + switch { + case data[(p)] > 13: + if 45 <= data[(p)] && data[(p)] <= 46 { + goto tr42 + } + case data[(p)] >= 9: + goto tr45 + } + case data[(p)] > 57: + switch { + case data[(p)] > 90: + if 97 <= data[(p)] && data[(p)] <= 122 { + goto tr43 + } + case data[(p)] >= 65: + goto tr43 + } + default: + goto tr43 } - goto st24 - tr40: -//line parser.rl:68 - event.SetProgram(data[tok:p]) + goto st2 + tr45: +//line parser.rl:81 + event.SetHostname(data[tok:p]) goto st25 st25: @@ -679,29 +803,46 @@ func Parse(data []byte, event *event) { goto _test_eof25 } st_case_25: -//line parser.go:688 +//line parser.go:810 switch data[(p)] { case 32: - goto st26 - case 58: - goto tr40 + goto tr0 case 91: - goto tr41 + goto tr0 case 93: - goto st1 + goto tr0 } if 9 <= data[(p)] && data[(p)] <= 13 { - goto st26 + goto tr0 } - goto st24 + goto tr47 + tr47: +//line parser.rl:22 + tok = p + + goto st26 st26: if (p)++; (p) == (pe) { goto _test_eof26 } st_case_26: - goto tr0 - tr41: -//line parser.rl:68 +//line parser.go:834 + switch data[(p)] { + case 32: + goto st2 + case 58: + goto tr49 + case 91: + goto tr50 + case 93: + goto st2 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto st2 + } + goto st26 + tr49: +//line parser.rl:85 event.SetProgram(data[tok:p]) goto st27 @@ -710,32 +851,30 @@ func Parse(data []byte, event *event) { goto _test_eof27 } st_case_27: -//line parser.go:720 - if 48 <= data[(p)] && data[(p)] <= 57 { - goto tr43 +//line parser.go:860 + switch data[(p)] { + case 32: + goto st28 + case 58: + goto tr49 + case 91: + goto tr50 + case 93: + goto st2 } - goto st1 - tr43: -//line parser.rl:20 - tok = p - - goto st28 + if 9 <= data[(p)] && data[(p)] <= 13 { + goto st28 + } + goto st26 st28: if (p)++; (p) == (pe) { goto _test_eof28 } st_case_28: -//line parser.go:736 - if data[(p)] == 93 { - goto tr45 - } - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st28 - } - goto st1 - tr45: -//line parser.rl:72 - event.SetPid(data[tok:p]) + goto tr0 + tr50: +//line parser.rl:85 + event.SetProgram(data[tok:p]) goto st29 st29: @@ -743,37 +882,32 @@ func Parse(data []byte, event *event) { goto _test_eof29 } st_case_29: -//line parser.go:755 - if data[(p)] == 58 { - goto st30 +//line parser.go:892 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto tr52 } - goto st1 + goto st2 + tr52: +//line parser.rl:22 + tok = p + + goto st30 st30: if (p)++; (p) == (pe) { goto _test_eof30 } st_case_30: - if data[(p)] == 32 { - goto st26 +//line parser.go:908 + if data[(p)] == 93 { + goto tr54 } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto st26 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st30 } - goto st1 - tr32: -//line parser.rl:56 - event.SetSecond(data[tok:p]) - -//line parser.rl:20 - tok = p - - goto st31 - tr55: -//line parser.rl:60 - event.SetNanosecond(data[tok:p]) - -//line parser.rl:20 - tok = p + goto st2 + tr54: +//line parser.rl:89 + event.SetPid(data[tok:p]) goto st31 st31: @@ -781,169 +915,298 @@ func Parse(data []byte, event *event) { goto _test_eof31 } st_case_31: -//line parser.go:797 - if 48 <= data[(p)] && data[(p)] <= 57 { +//line parser.go:927 + if data[(p)] == 58 { goto st32 } - goto st1 + goto st2 st32: if (p)++; (p) == (pe) { goto _test_eof32 } st_case_32: - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st33 + if data[(p)] == 32 { + goto st28 } - goto st1 + if 9 <= data[(p)] && data[(p)] <= 13 { + goto st28 + } + goto st2 + tr46: +//line parser.rl:70 + if p-1 > 0 { + for _, b := range noDuplicates { + if data[p] == b && data[p-1] == b { + p = tok - 1 + { + goto st1 + } + } + } + } + +//line parser.rl:81 + event.SetHostname(data[tok:p]) + + goto st33 st33: if (p)++; (p) == (pe) { goto _test_eof33 } st_case_33: +//line parser.go:966 switch data[(p)] { case 32: - goto tr49 + goto st25 case 58: - goto st36 + goto tr57 + case 95: + goto tr42 } switch { - case data[(p)] > 13: - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st34 + case data[(p)] < 48: + switch { + case data[(p)] > 13: + if 45 <= data[(p)] && data[(p)] <= 46 { + goto tr42 + } + case data[(p)] >= 9: + goto st25 + } + case data[(p)] > 57: + switch { + case data[(p)] > 90: + if 97 <= data[(p)] && data[(p)] <= 122 { + goto tr43 + } + case data[(p)] >= 65: + goto tr43 + } + default: + goto tr43 + } + goto st2 + tr57: +//line parser.rl:70 + if p-1 > 0 { + for _, b := range noDuplicates { + if data[p] == b && data[p-1] == b { + p = tok - 1 + { + goto st1 + } + } } - case data[(p)] >= 9: - goto tr49 } - goto st1 + + goto st34 + tr58: +//line parser.rl:70 + if p-1 > 0 { + for _, b := range noDuplicates { + if data[p] == b && data[p-1] == b { + p = tok - 1 + { + goto st1 + } + } + } + } + +//line parser.rl:81 + event.SetHostname(data[tok:p]) + + goto st34 st34: if (p)++; (p) == (pe) { goto _test_eof34 } st_case_34: - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st35 +//line parser.go:1033 + switch data[(p)] { + case 32: + goto tr45 + case 58: + goto tr58 + case 95: + goto tr42 + } + switch { + case data[(p)] < 48: + switch { + case data[(p)] > 13: + if 45 <= data[(p)] && data[(p)] <= 46 { + goto tr42 + } + case data[(p)] >= 9: + goto tr45 + } + case data[(p)] > 57: + switch { + case data[(p)] > 90: + if 97 <= data[(p)] && data[(p)] <= 122 { + goto tr43 + } + case data[(p)] >= 65: + goto tr43 + } + default: + goto tr43 + } + goto st2 + tr41: +//line parser.rl:22 + tok = p + +//line parser.rl:70 + if p-1 > 0 { + for _, b := range noDuplicates { + if data[p] == b && data[p-1] == b { + p = tok - 1 + { + goto st1 + } + } + } } - goto st1 + + goto st35 + tr44: +//line parser.rl:70 + if p-1 > 0 { + for _, b := range noDuplicates { + if data[p] == b && data[p-1] == b { + p = tok - 1 + { + goto st1 + } + } + } + } + + goto st35 st35: if (p)++; (p) == (pe) { goto _test_eof35 } st_case_35: - if data[(p)] == 32 { - goto tr49 +//line parser.go:1100 + switch data[(p)] { + case 58: + goto tr57 + case 95: + goto tr42 } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr49 + switch { + case data[(p)] < 48: + if 45 <= data[(p)] && data[(p)] <= 46 { + goto tr42 + } + case data[(p)] > 57: + switch { + case data[(p)] > 90: + if 97 <= data[(p)] && data[(p)] <= 122 { + goto tr43 + } + case data[(p)] >= 65: + goto tr43 + } + default: + goto tr43 } - goto st1 + goto st2 + tr35: +//line parser.rl:58 + event.SetSecond(data[tok:p]) + +//line parser.rl:22 + tok = p + + goto st36 + tr69: +//line parser.rl:62 + event.SetNanosecond(data[tok:p]) + +//line parser.rl:22 + tok = p + + goto st36 st36: if (p)++; (p) == (pe) { goto _test_eof36 } st_case_36: +//line parser.go:1150 if 48 <= data[(p)] && data[(p)] <= 57 { - goto st34 + goto st37 } - goto st1 - tr33: -//line parser.rl:56 - event.SetSecond(data[tok:p]) - - goto st37 + goto st2 st37: if (p)++; (p) == (pe) { goto _test_eof37 } st_case_37: -//line parser.go:872 if 48 <= data[(p)] && data[(p)] <= 57 { - goto tr53 + goto st38 } - goto st1 - tr53: -//line parser.rl:20 - tok = p - - goto st38 + goto st2 st38: if (p)++; (p) == (pe) { goto _test_eof38 } st_case_38: -//line parser.go:888 switch data[(p)] { case 32: - goto tr54 - case 43: - goto tr55 - case 45: - goto tr55 - case 90: - goto tr57 - case 122: - goto tr57 + goto tr61 + case 58: + goto tr63 } switch { case data[(p)] > 13: if 48 <= data[(p)] && data[(p)] <= 57 { - goto st38 + goto st39 } case data[(p)] >= 9: - goto tr54 + goto tr61 } - goto st1 - tr34: -//line parser.rl:56 - event.SetSecond(data[tok:p]) - -//line parser.rl:20 - tok = p - - goto st39 - tr57: -//line parser.rl:60 - event.SetNanosecond(data[tok:p]) - -//line parser.rl:20 - tok = p - - goto st39 + goto st2 st39: if (p)++; (p) == (pe) { goto _test_eof39 } st_case_39: -//line parser.go:935 - switch data[(p)] { - case 32: - goto tr49 - case 43: - goto st31 - case 45: - goto st31 - } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr49 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st40 } - goto st1 - tr23: -//line parser.rl:20 - tok = p - - goto st40 + goto st2 st40: if (p)++; (p) == (pe) { goto _test_eof40 } st_case_40: -//line parser.go:959 - if 48 <= data[(p)] && data[(p)] <= 51 { - goto st14 + switch data[(p)] { + case 32: + goto tr61 + case 58: + goto tr65 } - goto st1 - tr2: -//line parser.rl:20 - tok = p + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr61 + } + goto st2 + tr37: +//line parser.rl:58 + event.SetSecond(data[tok:p]) + + goto st41 + tr65: +//line parser.rl:93 + event.SetTimeZone(data[tok:p]) + + goto st41 + tr71: +//line parser.rl:62 + event.SetNanosecond(data[tok:p]) goto st41 st41: @@ -951,14 +1214,17 @@ func Parse(data []byte, event *event) { goto _test_eof41 } st_case_41: -//line parser.go:975 - if 48 <= data[(p)] && data[(p)] <= 57 { - goto tr59 +//line parser.go:1231 + if data[(p)] == 32 { + goto st22 } - goto st1 - tr59: -//line parser.rl:20 - tok = p + if 9 <= data[(p)] && data[(p)] <= 13 { + goto st22 + } + goto st2 + tr63: +//line parser.rl:93 + event.SetTimeZone(data[tok:p]) goto st42 st42: @@ -966,194 +1232,232 @@ func Parse(data []byte, event *event) { goto _test_eof42 } st_case_42: -//line parser.go:991 - if data[(p)] == 62 { - goto tr61 +//line parser.go:1250 + if data[(p)] == 32 { + goto st22 } - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st43 + switch { + case data[(p)] > 13: + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st39 + } + case data[(p)] >= 9: + goto st22 } - goto st1 + goto st2 + tr36: +//line parser.rl:58 + event.SetSecond(data[tok:p]) + + goto st43 st43: if (p)++; (p) == (pe) { goto _test_eof43 } st_case_43: - if data[(p)] == 62 { - goto tr61 - } +//line parser.go:1274 if 48 <= data[(p)] && data[(p)] <= 57 { - goto st44 + goto tr67 } - goto st1 + goto st2 + tr67: +//line parser.rl:22 + tok = p + + goto st44 st44: if (p)++; (p) == (pe) { goto _test_eof44 } st_case_44: - if data[(p)] == 62 { - goto tr61 - } - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st45 - } - goto st1 - st45: - if (p)++; (p) == (pe) { - goto _test_eof45 - } - st_case_45: - if data[(p)] == 62 { - goto tr61 +//line parser.go:1290 + switch data[(p)] { + case 32: + goto tr68 + case 43: + goto tr69 + case 45: + goto tr69 + case 58: + goto tr71 + case 90: + goto tr72 + case 122: + goto tr72 } - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st46 + switch { + case data[(p)] > 13: + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st44 + } + case data[(p)] >= 9: + goto tr68 + } + goto st2 + tr38: +//line parser.rl:58 + event.SetSecond(data[tok:p]) + +//line parser.rl:22 + tok = p + + goto st45 + tr72: +//line parser.rl:62 + event.SetNanosecond(data[tok:p]) + +//line parser.rl:22 + tok = p + + goto st45 + st45: + if (p)++; (p) == (pe) { + goto _test_eof45 + } + st_case_45: +//line parser.go:1339 + switch data[(p)] { + case 32: + goto tr61 + case 43: + goto st36 + case 45: + goto st36 + case 58: + goto tr65 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr61 } - goto st1 + goto st2 + tr26: +//line parser.rl:22 + tok = p + + goto st46 st46: if (p)++; (p) == (pe) { goto _test_eof46 } st_case_46: - if data[(p)] == 62 { - goto tr61 +//line parser.go:1365 + if 48 <= data[(p)] && data[(p)] <= 51 { + goto st15 } - goto st1 - tr61: -//line parser.rl:24 - event.SetPriority(data[tok:p]) - - goto st47 + goto st2 st47: if (p)++; (p) == (pe) { goto _test_eof47 } st_case_47: -//line parser.go:1055 - switch data[(p)] { - case 65: - goto tr3 - case 68: - goto tr4 - case 70: - goto tr5 - case 74: - goto tr6 - case 77: - goto tr7 - case 78: - goto tr8 - case 79: - goto tr9 - case 83: - goto tr10 + if data[(p)] == 58 { + goto st48 } if 48 <= data[(p)] && data[(p)] <= 57 { - goto tr1 + goto st47 } - goto tr0 - tr3: -//line parser.rl:20 - tok = p - - goto st48 + goto st2 st48: if (p)++; (p) == (pe) { goto _test_eof48 } st_case_48: -//line parser.go:1089 - switch data[(p)] { - case 112: - goto st49 - case 117: - goto st70 + if data[(p)] == 32 { + goto tr74 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr74 } - goto st1 + goto st2 + tr74: +//line parser.rl:22 + tok = p + + goto st49 st49: if (p)++; (p) == (pe) { goto _test_eof49 } st_case_49: - if data[(p)] == 114 { - goto st50 +//line parser.go:1405 + switch data[(p)] { + case 65: + goto tr77 + case 68: + goto tr78 + case 70: + goto tr79 + case 74: + goto tr80 + case 77: + goto tr81 + case 78: + goto tr82 + case 79: + goto tr83 + case 83: + goto tr84 } - goto st1 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto tr76 + } + goto tr75 + tr76: +//line parser.rl:97 + event.SetSequence(data[tok:p]) + +//line parser.rl:22 + tok = p + + goto st50 st50: if (p)++; (p) == (pe) { goto _test_eof50 } st_case_50: - switch data[(p)] { - case 32: - goto tr68 - case 105: - goto st68 - } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr68 +//line parser.go:1443 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st51 } - goto st1 - tr68: -//line parser.rl:32 - event.SetMonth(data[tok:p]) - - goto st51 + goto st2 st51: if (p)++; (p) == (pe) { goto _test_eof51 } st_case_51: -//line parser.go:1132 - switch data[(p)] { - case 32: + if 48 <= data[(p)] && data[(p)] <= 57 { goto st52 - case 51: - goto tr72 } - switch { - case data[(p)] < 49: - if 9 <= data[(p)] && data[(p)] <= 13 { - goto st52 - } - case data[(p)] > 50: - if 52 <= data[(p)] && data[(p)] <= 57 { - goto tr73 - } - default: - goto tr71 - } - goto st1 + goto st2 st52: if (p)++; (p) == (pe) { goto _test_eof52 } st_case_52: - if 49 <= data[(p)] && data[(p)] <= 57 { - goto tr73 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st53 } - goto st1 - tr73: -//line parser.rl:20 - tok = p - - goto st53 + goto st2 st53: if (p)++; (p) == (pe) { goto _test_eof53 } st_case_53: -//line parser.go:1172 - if data[(p)] == 32 { - goto tr74 - } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr74 + if data[(p)] == 45 { + goto tr17 } - goto st1 - tr74: -//line parser.rl:44 - event.SetDay(data[tok:p]) + goto st2 + tr3: +//line parser.rl:22 + tok = p + + goto st54 + tr77: +//line parser.rl:97 + event.SetSequence(data[tok:p]) + +//line parser.rl:22 + tok = p goto st54 st54: @@ -1161,41 +1465,41 @@ func Parse(data []byte, event *event) { goto _test_eof54 } st_case_54: -//line parser.go:1191 - if data[(p)] == 50 { - goto tr76 - } - if 48 <= data[(p)] && data[(p)] <= 49 { - goto tr75 +//line parser.go:1496 + switch data[(p)] { + case 112: + goto st55 + case 117: + goto st76 } - goto st1 - tr75: -//line parser.rl:20 - tok = p - - goto st55 + goto st2 st55: if (p)++; (p) == (pe) { goto _test_eof55 } st_case_55: -//line parser.go:1210 - if 48 <= data[(p)] && data[(p)] <= 57 { + if data[(p)] == 114 { goto st56 } - goto st1 + goto st2 st56: if (p)++; (p) == (pe) { goto _test_eof56 } st_case_56: - if data[(p)] == 58 { - goto tr78 + switch data[(p)] { + case 32: + goto tr91 + case 105: + goto st74 } - goto st1 - tr78: -//line parser.rl:48 - event.SetHour(data[tok:p]) + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr91 + } + goto st2 + tr91: +//line parser.rl:34 + event.SetMonth(data[tok:p]) goto st57 st57: @@ -1203,38 +1507,56 @@ func Parse(data []byte, event *event) { goto _test_eof57 } st_case_57: -//line parser.go:1235 - if 48 <= data[(p)] && data[(p)] <= 53 { - goto tr79 +//line parser.go:1539 + switch data[(p)] { + case 32: + goto st58 + case 51: + goto tr95 } - goto st1 - tr79: -//line parser.rl:20 - tok = p - - goto st58 + switch { + case data[(p)] < 49: + if 9 <= data[(p)] && data[(p)] <= 13 { + goto st58 + } + case data[(p)] > 50: + if 52 <= data[(p)] && data[(p)] <= 57 { + goto tr96 + } + default: + goto tr94 + } + goto st2 st58: if (p)++; (p) == (pe) { goto _test_eof58 } st_case_58: -//line parser.go:1251 - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st59 + if 49 <= data[(p)] && data[(p)] <= 57 { + goto tr96 } - goto st1 + goto st2 + tr96: +//line parser.rl:22 + tok = p + + goto st59 st59: if (p)++; (p) == (pe) { goto _test_eof59 } st_case_59: - if data[(p)] == 58 { - goto tr81 +//line parser.go:1579 + if data[(p)] == 32 { + goto tr97 } - goto st1 - tr81: -//line parser.rl:52 - event.SetMinute(data[tok:p]) + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr97 + } + goto st2 + tr97: +//line parser.rl:46 + event.SetDay(data[tok:p]) goto st60 st60: @@ -1242,13 +1564,16 @@ func Parse(data []byte, event *event) { goto _test_eof60 } st_case_60: -//line parser.go:1276 - if 48 <= data[(p)] && data[(p)] <= 53 { - goto tr82 +//line parser.go:1598 + if data[(p)] == 50 { + goto tr99 } - goto st1 - tr82: -//line parser.rl:20 + if 48 <= data[(p)] && data[(p)] <= 49 { + goto tr98 + } + goto st2 + tr98: +//line parser.rl:22 tok = p goto st61 @@ -1257,29 +1582,23 @@ func Parse(data []byte, event *event) { goto _test_eof61 } st_case_61: -//line parser.go:1292 +//line parser.go:1617 if 48 <= data[(p)] && data[(p)] <= 57 { goto st62 } - goto st1 + goto st2 st62: if (p)++; (p) == (pe) { goto _test_eof62 } st_case_62: - switch data[(p)] { - case 32: - goto tr31 - case 46: - goto tr84 - } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr31 + if data[(p)] == 58 { + goto tr101 } - goto st1 - tr84: -//line parser.rl:56 - event.SetSecond(data[tok:p]) + goto st2 + tr101: +//line parser.rl:50 + event.SetHour(data[tok:p]) goto st63 st63: @@ -1287,13 +1606,13 @@ func Parse(data []byte, event *event) { goto _test_eof63 } st_case_63: -//line parser.go:1323 - if 48 <= data[(p)] && data[(p)] <= 57 { - goto tr85 +//line parser.go:1642 + if 48 <= data[(p)] && data[(p)] <= 53 { + goto tr102 } - goto st1 - tr85: -//line parser.rl:20 + goto st2 + tr102: +//line parser.rl:22 tok = p goto st64 @@ -1302,59 +1621,37 @@ func Parse(data []byte, event *event) { goto _test_eof64 } st_case_64: -//line parser.go:1339 - if data[(p)] == 32 { - goto tr54 - } - switch { - case data[(p)] > 13: - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st64 - } - case data[(p)] >= 9: - goto tr54 +//line parser.go:1658 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st65 } - goto st1 - tr76: -//line parser.rl:20 - tok = p - - goto st65 + goto st2 st65: if (p)++; (p) == (pe) { goto _test_eof65 } st_case_65: -//line parser.go:1363 - if 48 <= data[(p)] && data[(p)] <= 51 { - goto st56 + if data[(p)] == 58 { + goto tr104 } - goto st1 - tr71: -//line parser.rl:20 - tok = p + goto st2 + tr104: +//line parser.rl:54 + event.SetMinute(data[tok:p]) - goto st66 - st66: - if (p)++; (p) == (pe) { - goto _test_eof66 - } - st_case_66: -//line parser.go:1379 - if data[(p)] == 32 { - goto tr74 - } - switch { - case data[(p)] > 13: - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st53 - } - case data[(p)] >= 9: - goto tr74 + goto st66 + st66: + if (p)++; (p) == (pe) { + goto _test_eof66 } - goto st1 - tr72: -//line parser.rl:20 + st_case_66: +//line parser.go:1683 + if 48 <= data[(p)] && data[(p)] <= 53 { + goto tr105 + } + goto st2 + tr105: +//line parser.rl:22 tok = p goto st67 @@ -1363,487 +1660,780 @@ func Parse(data []byte, event *event) { goto _test_eof67 } st_case_67: -//line parser.go:1403 - if data[(p)] == 32 { - goto tr74 - } - switch { - case data[(p)] > 13: - if 48 <= data[(p)] && data[(p)] <= 49 { - goto st53 - } - case data[(p)] >= 9: - goto tr74 +//line parser.go:1699 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st68 } - goto st1 + goto st2 st68: if (p)++; (p) == (pe) { goto _test_eof68 } st_case_68: - if data[(p)] == 108 { - goto st69 + switch data[(p)] { + case 32: + goto tr34 + case 46: + goto tr107 + case 58: + goto tr37 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr34 } - goto st1 + goto st2 + tr107: +//line parser.rl:58 + event.SetSecond(data[tok:p]) + + goto st69 st69: if (p)++; (p) == (pe) { goto _test_eof69 } st_case_69: - if data[(p)] == 32 { - goto tr68 - } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr68 +//line parser.go:1732 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto tr108 } - goto st1 + goto st2 + tr108: +//line parser.rl:22 + tok = p + + goto st70 st70: if (p)++; (p) == (pe) { goto _test_eof70 } st_case_70: - if data[(p)] == 103 { - goto st71 +//line parser.go:1748 + switch data[(p)] { + case 32: + goto tr68 + case 58: + goto tr71 } - goto st1 + switch { + case data[(p)] > 13: + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st70 + } + case data[(p)] >= 9: + goto tr68 + } + goto st2 + tr99: +//line parser.rl:22 + tok = p + + goto st71 st71: if (p)++; (p) == (pe) { goto _test_eof71 } st_case_71: - switch data[(p)] { - case 32: - goto tr68 - case 117: - goto st72 - } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr68 +//line parser.go:1775 + if 48 <= data[(p)] && data[(p)] <= 51 { + goto st62 } - goto st1 + goto st2 + tr94: +//line parser.rl:22 + tok = p + + goto st72 st72: if (p)++; (p) == (pe) { goto _test_eof72 } st_case_72: - if data[(p)] == 115 { - goto st73 +//line parser.go:1791 + if data[(p)] == 32 { + goto tr97 } - goto st1 + switch { + case data[(p)] > 13: + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st59 + } + case data[(p)] >= 9: + goto tr97 + } + goto st2 + tr95: +//line parser.rl:22 + tok = p + + goto st73 st73: if (p)++; (p) == (pe) { goto _test_eof73 } st_case_73: - if data[(p)] == 116 { - goto st69 +//line parser.go:1815 + if data[(p)] == 32 { + goto tr97 } - goto st1 - tr4: -//line parser.rl:20 - tok = p - - goto st74 + switch { + case data[(p)] > 13: + if 48 <= data[(p)] && data[(p)] <= 49 { + goto st59 + } + case data[(p)] >= 9: + goto tr97 + } + goto st2 st74: if (p)++; (p) == (pe) { goto _test_eof74 } st_case_74: -//line parser.go:1490 - if data[(p)] == 101 { + if data[(p)] == 108 { goto st75 } - goto st1 + goto st2 st75: if (p)++; (p) == (pe) { goto _test_eof75 } st_case_75: - if data[(p)] == 99 { - goto st76 + if data[(p)] == 32 { + goto tr91 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr91 } - goto st1 + goto st2 st76: if (p)++; (p) == (pe) { goto _test_eof76 } st_case_76: - switch data[(p)] { - case 32: - goto tr68 - case 101: + if data[(p)] == 103 { goto st77 } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr68 - } - goto st1 + goto st2 st77: if (p)++; (p) == (pe) { goto _test_eof77 } st_case_77: - if data[(p)] == 109 { + switch data[(p)] { + case 32: + goto tr91 + case 117: goto st78 } - goto st1 + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr91 + } + goto st2 st78: if (p)++; (p) == (pe) { goto _test_eof78 } st_case_78: - if data[(p)] == 98 { + if data[(p)] == 115 { goto st79 } - goto st1 + goto st2 st79: if (p)++; (p) == (pe) { goto _test_eof79 } st_case_79: - if data[(p)] == 101 { - goto st80 + if data[(p)] == 116 { + goto st75 } - goto st1 + goto st2 + tr4: +//line parser.rl:22 + tok = p + + goto st80 + tr78: +//line parser.rl:97 + event.SetSequence(data[tok:p]) + +//line parser.rl:22 + tok = p + + goto st80 st80: if (p)++; (p) == (pe) { goto _test_eof80 } st_case_80: - if data[(p)] == 114 { - goto st69 +//line parser.go:1912 + if data[(p)] == 101 { + goto st81 } - goto st1 - tr5: -//line parser.rl:20 - tok = p - - goto st81 + goto st2 st81: if (p)++; (p) == (pe) { goto _test_eof81 } st_case_81: -//line parser.go:1566 - if data[(p)] == 101 { + if data[(p)] == 99 { goto st82 } - goto st1 + goto st2 st82: if (p)++; (p) == (pe) { goto _test_eof82 } st_case_82: - if data[(p)] == 98 { + switch data[(p)] { + case 32: + goto tr91 + case 101: goto st83 } - goto st1 + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr91 + } + goto st2 st83: if (p)++; (p) == (pe) { goto _test_eof83 } st_case_83: - switch data[(p)] { - case 32: - goto tr68 - case 114: + if data[(p)] == 109 { goto st84 } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr68 - } - goto st1 + goto st2 st84: if (p)++; (p) == (pe) { goto _test_eof84 } st_case_84: - if data[(p)] == 117 { + if data[(p)] == 98 { goto st85 } - goto st1 + goto st2 st85: if (p)++; (p) == (pe) { goto _test_eof85 } st_case_85: - if data[(p)] == 97 { + if data[(p)] == 101 { goto st86 } - goto st1 + goto st2 st86: if (p)++; (p) == (pe) { goto _test_eof86 } st_case_86: if data[(p)] == 114 { - goto st87 + goto st75 } - goto st1 + goto st2 + tr5: +//line parser.rl:22 + tok = p + + goto st87 + tr79: +//line parser.rl:97 + event.SetSequence(data[tok:p]) + +//line parser.rl:22 + tok = p + + goto st87 st87: if (p)++; (p) == (pe) { goto _test_eof87 } st_case_87: - if data[(p)] == 121 { - goto st69 +//line parser.go:1998 + if data[(p)] == 101 { + goto st88 } - goto st1 - tr6: -//line parser.rl:20 - tok = p - - goto st88 + goto st2 st88: if (p)++; (p) == (pe) { goto _test_eof88 } st_case_88: -//line parser.go:1642 - switch data[(p)] { - case 97: + if data[(p)] == 98 { goto st89 - case 117: - goto st91 } - goto st1 + goto st2 st89: if (p)++; (p) == (pe) { goto _test_eof89 } st_case_89: - if data[(p)] == 110 { + switch data[(p)] { + case 32: + goto tr91 + case 114: goto st90 } - goto st1 + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr91 + } + goto st2 st90: if (p)++; (p) == (pe) { - goto _test_eof90 + goto _test_eof90 + } + st_case_90: + if data[(p)] == 117 { + goto st91 + } + goto st2 + st91: + if (p)++; (p) == (pe) { + goto _test_eof91 + } + st_case_91: + if data[(p)] == 97 { + goto st92 + } + goto st2 + st92: + if (p)++; (p) == (pe) { + goto _test_eof92 + } + st_case_92: + if data[(p)] == 114 { + goto st93 + } + goto st2 + st93: + if (p)++; (p) == (pe) { + goto _test_eof93 + } + st_case_93: + if data[(p)] == 121 { + goto st75 + } + goto st2 + tr6: +//line parser.rl:22 + tok = p + + goto st94 + tr80: +//line parser.rl:97 + event.SetSequence(data[tok:p]) + +//line parser.rl:22 + tok = p + + goto st94 + st94: + if (p)++; (p) == (pe) { + goto _test_eof94 + } + st_case_94: +//line parser.go:2084 + switch data[(p)] { + case 97: + goto st95 + case 117: + goto st97 + } + goto st2 + st95: + if (p)++; (p) == (pe) { + goto _test_eof95 + } + st_case_95: + if data[(p)] == 110 { + goto st96 + } + goto st2 + st96: + if (p)++; (p) == (pe) { + goto _test_eof96 } - st_case_90: + st_case_96: switch data[(p)] { case 32: - goto tr68 + goto tr91 case 117: - goto st85 + goto st91 } if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr68 + goto tr91 } - goto st1 - st91: + goto st2 + st97: if (p)++; (p) == (pe) { - goto _test_eof91 + goto _test_eof97 } - st_case_91: + st_case_97: switch data[(p)] { case 108: - goto st92 + goto st98 case 110: - goto st93 + goto st99 } - goto st1 - st92: + goto st2 + st98: if (p)++; (p) == (pe) { - goto _test_eof92 + goto _test_eof98 } - st_case_92: + st_case_98: switch data[(p)] { case 32: - goto tr68 + goto tr91 case 121: - goto st69 + goto st75 } if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr68 + goto tr91 } - goto st1 - st93: + goto st2 + st99: if (p)++; (p) == (pe) { - goto _test_eof93 + goto _test_eof99 } - st_case_93: + st_case_99: switch data[(p)] { case 32: - goto tr68 + goto tr91 case 101: - goto st69 + goto st75 } if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr68 + goto tr91 } - goto st1 + goto st2 tr7: -//line parser.rl:20 +//line parser.rl:22 tok = p - goto st94 - st94: + goto st100 + tr81: +//line parser.rl:97 + event.SetSequence(data[tok:p]) + +//line parser.rl:22 + tok = p + + goto st100 + st100: if (p)++; (p) == (pe) { - goto _test_eof94 + goto _test_eof100 } - st_case_94: -//line parser.go:1727 + st_case_100: +//line parser.go:2179 if data[(p)] == 97 { - goto st95 + goto st101 } - goto st1 - st95: + goto st2 + st101: if (p)++; (p) == (pe) { - goto _test_eof95 + goto _test_eof101 } - st_case_95: + st_case_101: switch data[(p)] { case 32: - goto tr68 + goto tr91 case 114: - goto st96 + goto st102 case 121: - goto st69 + goto st75 } if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr68 + goto tr91 } - goto st1 - st96: + goto st2 + st102: if (p)++; (p) == (pe) { - goto _test_eof96 + goto _test_eof102 } - st_case_96: + st_case_102: switch data[(p)] { case 32: - goto tr68 + goto tr91 case 99: - goto st97 + goto st103 } if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr68 + goto tr91 } - goto st1 - st97: + goto st2 + st103: if (p)++; (p) == (pe) { - goto _test_eof97 + goto _test_eof103 } - st_case_97: + st_case_103: if data[(p)] == 104 { - goto st69 + goto st75 } - goto st1 + goto st2 tr8: -//line parser.rl:20 +//line parser.rl:22 tok = p - goto st98 - st98: + goto st104 + tr82: +//line parser.rl:97 + event.SetSequence(data[tok:p]) + +//line parser.rl:22 + tok = p + + goto st104 + st104: if (p)++; (p) == (pe) { - goto _test_eof98 + goto _test_eof104 } - st_case_98: -//line parser.go:1784 + st_case_104: +//line parser.go:2246 if data[(p)] == 111 { - goto st99 + goto st105 } - goto st1 - st99: + goto st2 + st105: if (p)++; (p) == (pe) { - goto _test_eof99 + goto _test_eof105 } - st_case_99: + st_case_105: if data[(p)] == 118 { - goto st76 + goto st82 } - goto st1 + goto st2 tr9: -//line parser.rl:20 +//line parser.rl:22 tok = p - goto st100 - st100: + goto st106 + tr83: +//line parser.rl:97 + event.SetSequence(data[tok:p]) + +//line parser.rl:22 + tok = p + + goto st106 + st106: if (p)++; (p) == (pe) { - goto _test_eof100 + goto _test_eof106 } - st_case_100: -//line parser.go:1809 + st_case_106: +//line parser.go:2281 if data[(p)] == 99 { - goto st101 + goto st107 } - goto st1 - st101: + goto st2 + st107: if (p)++; (p) == (pe) { - goto _test_eof101 + goto _test_eof107 } - st_case_101: + st_case_107: if data[(p)] == 116 { - goto st102 + goto st108 } - goto st1 - st102: + goto st2 + st108: if (p)++; (p) == (pe) { - goto _test_eof102 + goto _test_eof108 } - st_case_102: + st_case_108: switch data[(p)] { case 32: - goto tr68 + goto tr91 case 111: - goto st78 + goto st84 } if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr68 + goto tr91 } - goto st1 + goto st2 tr10: -//line parser.rl:20 +//line parser.rl:22 tok = p - goto st103 - st103: + goto st109 + tr84: +//line parser.rl:97 + event.SetSequence(data[tok:p]) + +//line parser.rl:22 + tok = p + + goto st109 + st109: if (p)++; (p) == (pe) { - goto _test_eof103 + goto _test_eof109 } - st_case_103: -//line parser.go:1849 + st_case_109: +//line parser.go:2331 if data[(p)] == 101 { - goto st104 + goto st110 } - goto st1 - st104: + goto st2 + st110: if (p)++; (p) == (pe) { - goto _test_eof104 + goto _test_eof110 } - st_case_104: + st_case_110: if data[(p)] == 112 { - goto st105 + goto st111 } - goto st1 - st105: + goto st2 + st111: if (p)++; (p) == (pe) { - goto _test_eof105 + goto _test_eof111 } - st_case_105: + st_case_111: switch data[(p)] { case 32: - goto tr68 + goto tr91 case 116: - goto st106 + goto st112 } if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr68 + goto tr91 } - goto st1 - st106: + goto st2 + st112: if (p)++; (p) == (pe) { - goto _test_eof106 + goto _test_eof112 } - st_case_106: + st_case_112: if data[(p)] == 101 { - goto st77 + goto st83 + } + goto st2 + tr2: +//line parser.rl:22 + tok = p + + goto st113 + st113: + if (p)++; (p) == (pe) { + goto _test_eof113 + } + st_case_113: +//line parser.go:2380 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto tr141 + } + goto st2 + tr141: +//line parser.rl:22 + tok = p + + goto st114 + st114: + if (p)++; (p) == (pe) { + goto _test_eof114 + } + st_case_114: +//line parser.go:2396 + if data[(p)] == 62 { + goto tr143 + } + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st115 + } + goto st2 + st115: + if (p)++; (p) == (pe) { + goto _test_eof115 + } + st_case_115: + if data[(p)] == 62 { + goto tr143 + } + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st116 + } + goto st2 + st116: + if (p)++; (p) == (pe) { + goto _test_eof116 + } + st_case_116: + if data[(p)] == 62 { + goto tr143 + } + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st117 + } + goto st2 + st117: + if (p)++; (p) == (pe) { + goto _test_eof117 + } + st_case_117: + if data[(p)] == 62 { + goto tr143 + } + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st118 + } + goto st2 + st118: + if (p)++; (p) == (pe) { + goto _test_eof118 + } + st_case_118: + if data[(p)] == 62 { + goto tr143 + } + goto st2 + tr143: +//line parser.rl:26 + event.SetPriority(data[tok:p]) + + goto st119 + st119: + if (p)++; (p) == (pe) { + goto _test_eof119 + } + st_case_119: +//line parser.go:2460 + switch data[(p)] { + case 65: + goto tr3 + case 68: + goto tr4 + case 70: + goto tr5 + case 74: + goto tr6 + case 77: + goto tr7 + case 78: + goto tr8 + case 79: + goto tr9 + case 83: + goto tr10 + } + if 48 <= data[(p)] && data[(p)] <= 57 { + goto tr1 + } + goto tr0 + st1: + if (p)++; (p) == (pe) { + goto _test_eof1 + } + st_case_1: + goto tr11 + tr11: +//line parser.rl:22 + tok = p + + goto st120 + st120: + if (p)++; (p) == (pe) { + goto _test_eof120 } - goto st1 + st_case_120: +//line parser.go:2500 + goto st120 st_out: - _test_eof1: - cs = 1 - goto _test_eof _test_eof2: cs = 2 goto _test_eof @@ -2159,21 +2749,66 @@ func Parse(data []byte, event *event) { _test_eof106: cs = 106 goto _test_eof + _test_eof107: + cs = 107 + goto _test_eof + _test_eof108: + cs = 108 + goto _test_eof + _test_eof109: + cs = 109 + goto _test_eof + _test_eof110: + cs = 110 + goto _test_eof + _test_eof111: + cs = 111 + goto _test_eof + _test_eof112: + cs = 112 + goto _test_eof + _test_eof113: + cs = 113 + goto _test_eof + _test_eof114: + cs = 114 + goto _test_eof + _test_eof115: + cs = 115 + goto _test_eof + _test_eof116: + cs = 116 + goto _test_eof + _test_eof117: + cs = 117 + goto _test_eof + _test_eof118: + cs = 118 + goto _test_eof + _test_eof119: + cs = 119 + goto _test_eof + _test_eof1: + cs = 1 + goto _test_eof + _test_eof120: + cs = 120 + goto _test_eof _test_eof: { } if (p) == eof { switch cs { - case 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106: -//line parser.rl:28 + case 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120: +//line parser.rl:30 event.SetMessage(data[tok:p]) -//line parser.go:2003 +//line parser.go:2632 } } } -//line parser.rl:84 +//line parser.rl:105 } diff --git a/filebeat/input/syslog/parser.rl b/filebeat/input/syslog/parser.rl index cbfd32362aec..e5b2c1b143fe 100644 --- a/filebeat/input/syslog/parser.rl +++ b/filebeat/input/syslog/parser.rl @@ -8,9 +8,11 @@ package syslog variable pe pe; }%% -// syslog -//<34>Oct 11 22:14:15 wopr su: 'su root' failed for foobar -//<13>Feb 5 17:32:18 10.0.0.99 Use the quad dmg. +var ( + noDuplicates = []byte{'-', '.'} +) + +// Parse parses Syslog events. func Parse(data []byte, event *event) { var p, cs int pe := len(data) @@ -61,6 +63,21 @@ func Parse(data []byte, event *event) { event.SetNanosecond(data[tok:p]) } + # NOTES: This allow to bail out of obvious non valid + # hostname, this might not be ideal in all situation, but + # when this happen we just go to the catch all case and at least + # extract the message + action lookahead_duplicates{ + if p-1 > 0 { + for _, b := range noDuplicates { + if data[p] == b && data[p-1] == b { + p = tok -1 + fgoto catch_all; + } + } + } + } + action hostname { event.SetHostname(data[tok:p]) } @@ -77,6 +94,10 @@ func Parse(data []byte, event *event) { event.SetTimeZone(data[tok:p]) } + action sequence { + event.SetSequence(data[tok:p]) + } + include syslog_rfc3164 "syslog_rfc3164.rl"; write init; diff --git a/filebeat/input/syslog/parser_test.go b/filebeat/input/syslog/parser_test.go index 68abc2e3f129..161cc3779dfc 100644 --- a/filebeat/input/syslog/parser_test.go +++ b/filebeat/input/syslog/parser_test.go @@ -31,6 +31,25 @@ func TestParseSyslog(t *testing.T) { log []byte syslog event }{ + { + title: "Cisco's syslog", + log: []byte("<190>589265: Feb 8 18:55:31.306: %SEC-11-IPACCESSLOGP: list 177 denied udp 10.0.0.1(53640) -> 10.100.0.1(15600), 1 packet"), + syslog: event{ + priority: 190, + message: "%SEC-11-IPACCESSLOGP: list 177 denied udp 10.0.0.1(53640) -> 10.100.0.1(15600), 1 packet", + hostname: "", + program: "", + pid: -1, + month: 2, + day: 8, + year: 2018, + hour: 18, + minute: 55, + second: 31, + nanosecond: 306000000, + sequence: 589265, + }, + }, { title: "no timezone in date", log: []byte("<190>2018-06-19 02:13:38 super mon message"), @@ -507,6 +526,96 @@ func TestParseSyslog(t *testing.T) { second: 18, }, }, + { + title: "ipv6: 1::", + log: []byte("<13>Feb 25 17:32:18 1:: Use the Force!"), + syslog: event{ + message: "Use the Force!", + hostname: "1::", + priority: 13, + pid: -1, + month: 2, + day: 25, + hour: 17, + minute: 32, + second: 18, + }, + }, + { + title: "ipv6: 1::2", + log: []byte("<13>Feb 25 17:32:18 1::2 Use the Force!"), + syslog: event{ + message: "Use the Force!", + hostname: "1::2", + priority: 13, + pid: -1, + month: 2, + day: 25, + hour: 17, + minute: 32, + second: 18, + }, + }, + { + title: "ipv6: 1::2:5", + log: []byte("<13>Feb 25 17:32:18 1::2:5 Use the Force!"), + syslog: event{ + message: "Use the Force!", + hostname: "1::2:5", + priority: 13, + pid: -1, + month: 2, + day: 25, + hour: 17, + minute: 32, + second: 18, + }, + }, + { + title: "ipv4 mapped on ipv6", + log: []byte("<13>Feb 25 17:32:18 ::ffff:0:255.255.255.255 Use the Force!"), + syslog: event{ + message: "Use the Force!", + hostname: "::ffff:0:255.255.255.255", + priority: 13, + pid: -1, + month: 2, + day: 25, + hour: 17, + minute: 32, + second: 18, + }, + }, + { + title: "ipv4 embedded on ipv6", + log: []byte("<13>Feb 25 17:32:18 60::ffff::10.0.1.120 Use the Force!"), + syslog: event{ + message: "Use the Force!", + hostname: "60::ffff::10.0.1.120", + priority: 13, + pid: -1, + month: 2, + day: 25, + hour: 17, + minute: 32, + second: 18, + }, + }, + { + title: "ipv6: 1:2:3:4:5:6:7:8", + log: []byte("<13>Feb 25 17:32:18 1:2:3:4:5:6:7:8 Use the Force!"), + syslog: event{ + message: "Use the Force!", + hostname: "1:2:3:4:5:6:7:8", + priority: 13, + pid: -1, + month: 2, + day: 25, + hour: 17, + minute: 32, + second: 18, + }, + }, { title: "Number inf the host", log: []byte("<164>Oct 26 15:19:25 1.2.3.4 ASA1-2: Deny udp src DRAC:10.1.2.3/43434 dst outside:192.168.0.1/53 by access-group \"acl_drac\" [0x0, 0x0]"), diff --git a/filebeat/input/syslog/syslog_rfc3164.rl b/filebeat/input/syslog/syslog_rfc3164.rl index 2a5638f29a03..e16b9da35da4 100644 --- a/filebeat/input/syslog/syslog_rfc3164.rl +++ b/filebeat/input/syslog/syslog_rfc3164.rl @@ -42,10 +42,11 @@ timestamp_rfc3164 = month space day space time; time_separator = "T" | "t"; timestamp_rfc3339 = year "-" month_numeric "-" day_two_digits (time_separator | space) time timezone?; - timestamp = timestamp_rfc3339 | timestamp_rfc3164; + timestamp = (timestamp_rfc3339 | timestamp_rfc3164) ":"?; - hostname = [a-zA-Z0-9.-_:]+>tok %hostname; - header = timestamp space hostname space; + hostname = ([a-zA-Z0-9\.\-_:]*([a-zA-Z0-9] | "::"))+>tok $lookahead_duplicates %hostname; + hostVars = (hostname ":") | hostname; + header = timestamp space hostVars ":"? space; # MSG # https://tools.ietf.org/html/rfc3164#section-4.1.3 @@ -54,7 +55,9 @@ syslogprog = program ("[" pid "]")? ":" space; message = any+>tok %message; msg = syslogprog? message>tok %message; + sequence = digit+ ":" space>tok %sequence; - main := (prio)? (header msg | timestamp space message | message); + main := (prio)?(sequence)? (header msg | timestamp space message | message); + catch_all := message; }%%