From 1842eebc9dc2a8ae5c0fe7131e60221e828030a8 Mon Sep 17 00:00:00 2001
From: Michael Lasevich <mlasevich@gmail.com>
Date: Thu, 12 Mar 2020 17:08:34 -0700
Subject: [PATCH 1/2] test to detect wrong syslog format

Signed-off-by: Michael Lasevich <mlasevich@gmail.com>
---
 test/plugin/test_parser_syslog.rb | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/test/plugin/test_parser_syslog.rb b/test/plugin/test_parser_syslog.rb
index 66d2b02389..dfbe2ed8d4 100644
--- a/test/plugin/test_parser_syslog.rb
+++ b/test/plugin/test_parser_syslog.rb
@@ -496,6 +496,13 @@ def test_parse_with_both_message_type(param)
       assert_equal(Fluent::Plugin::SyslogParser::REGEXP_RFC5424_WITH_PRI,
                    @parser.instance.patterns['format'])
 
+      text = '<1>Feb 28 12:00:02 192.168.0.1 fluentd[11111]: [error] Syslog test 2>1'
+      @parser.instance.parse(text) do |time, record|
+         assert_equal(event_time("Feb 28 12:00:02", format: '%b %d %M:%S:%H'), time)
+         assert_equal(@expected.merge('pri' => 1, 'message'=> '[error] Syslog test 2>1'), record)
+       end
+       assert_equal(Fluent::Plugin::SyslogParser::REGEXP_WITH_PRI, @parser.instance.patterns['format'])
+
       text = '<1>Feb 28 12:00:02 192.168.0.1 fluentd[11111]: [error] Syslog test'
       @parser.instance.parse(text) do |time, record|
         assert_equal(event_time("Feb 28 12:00:02", format: '%b %d %M:%S:%H'), time)

From a32bbd8e1142cb7f3cfe64d6f08c3826085058ef Mon Sep 17 00:00:00 2001
From: Michael Lasevich <mlasevich@gmail.com>
Date: Thu, 12 Mar 2020 17:10:07 -0700
Subject: [PATCH 2/2] Fix RFC detection regex to match parser

Signed-off-by: Michael Lasevich <mlasevich@gmail.com>
---
 lib/fluent/plugin/parser_syslog.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/fluent/plugin/parser_syslog.rb b/lib/fluent/plugin/parser_syslog.rb
index 8465332060..dd9586330c 100644
--- a/lib/fluent/plugin/parser_syslog.rb
+++ b/lib/fluent/plugin/parser_syslog.rb
@@ -36,7 +36,7 @@ class SyslogParser < Parser
       REGEXP_RFC5424_WITH_PRI = Regexp.new(<<~'EOS'.chomp % REGEXP_RFC5424, Regexp::MULTILINE)
         \A<(?<pri>[0-9]{1,3})\>[1-9]\d{0,2} %s\z
       EOS
-      REGEXP_DETECT_RFC5424 = /^\<.*\>[1-9]\d{0,2}/
+      REGEXP_DETECT_RFC5424 = /^\<[0-9]{1,3}\>[1-9]\d{0,2}/
 
       config_set_default :time_format, "%b %d %H:%M:%S"
       desc 'If the incoming logs have priority prefix, e.g. <9>, set true'