Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Syslog RFC5424 messages cannot be parsed on the first 9 days of each month #26372

Closed
manarth opened this issue Jun 18, 2021 · 4 comments
Closed

[Filebeat] Syslog RFC5424 messages cannot be parsed on the first 9 days of each month #26372

manarth opened this issue Jun 18, 2021 · 4 comments
Assignees
@faec
Labels
bug P1 Team:Elastic-Agent Label for the Agent team

Comments

@manarth
Copy link

manarth commented Jun 18, 2021

  • Version: 7.13.2
  • Operating System: Linux

Steps to Reproduce

  • Configure a syslog input using rfc5424:
filebeat.inputs:
- type: syslog
  format: rfc5424
  • Receive a syslog message specifying a date during the first 9 days of the month:
<133>1 2021-06-08T23:57:05+00:00 hostfoo facilitybar - - - [08/Jun/2021:23:57:04 +0000] debug message here
  • What happens?

An error message is reported

can't parse event as syslog rfc5424

  • What's expected to happen?

The message is expected to be processed.

Cause

See https://github.com/elastic/beats/blob/v7.13.2/filebeat/input/syslog/parser/syslog_rfc5424.rl#L21

DATE_MDAY       = (([12][0-9]) | ("3"[01]))>tok %day;

The Ragel definition doesn't support two-digit days beginning with 0.

See also: the generated state-machine: https://github.com/elastic/beats/blob/v7.13.2/filebeat/input/syslog/rfc5424_parser.go#L8679

Suggested fix:

DATE_MDAY       = (("0"[1-9]) | ([12][0-9]) | ("3"[01]))>tok %day;
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jun 18, 2021
@kaiyan-sheng kaiyan-sheng added the Team:Elastic-Agent Label for the Agent team label Jun 22, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/agent (Team:Agent)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jun 22, 2021
@kaiyan-sheng
Copy link
Contributor

@manarth Thank you so much for reporting this issue. Seems like we need better testing to catch this issue. Do you mind creating a PR to fix this since you already got your suggested fix ready? TIA!

@ph ph assigned faec Jun 22, 2021
@faec
Copy link
Contributor

faec commented Jun 22, 2021

Thanks for the report! I'll get a fix together, no worries :-)

@faec faec mentioned this issue Jun 22, 2021
Merged
6 tasks
@urso
Copy link

urso commented Jul 14, 2021

Fix had been merged.

@urso urso closed this as completed Jul 14, 2021
@manarth manarth mentioned this issue Aug 1, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@faec faec

Labels
bug P1 Team:Elastic-Agent Label for the Agent team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@ph @urso @manarth @kaiyan-sheng @elasticmachine @faec