Fix RFC5424 syslog parser to return Z as a timestamp offset (#35360)

(cherry picked from commit ef1e666)
elastic · May 15, 2023 · 1f91834 · 1f91834
1 parent c42e325
commit 1f91834
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 54 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -123,6 +123,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
 - Move repeated Windows event channel not found errors in winlog input to debug level.  {issue}35314[35314] {pull}35317[35317]
 - Fix crash when processing forwarded logs missing a message. {issue}34705[34705] {pull}34865[34865]
 - Fix crash when loading azurewebstorage cursor with no partially processed data. {pull}35433[35433]
+- RFC5424 syslog timestamps with offset 'Z' will be treated as UTC rather than using the default timezone. {pull}35360[35360]
 
 *Heartbeat*
 

diff --git a/filebeat/input/syslog/parser/syslog_rfc5424.rl b/filebeat/input/syslog/parser/syslog_rfc5424.rl
@@ -26,7 +26,7 @@
   TIME_SECOND     = ([0-5][0-9])>tok %second;
   TIME_SECFRAC    = '.' digit{1,6}>tok %nanosecond;
   TIME_NUMOFFSET  = ('+' | '-') ([0-5][0-9]) ':' ([0-5][0-9]);
-  TIME_OFFSET     = 'Z' | TIME_NUMOFFSET >tok %timezone;
+  TIME_OFFSET     = ('Z' | TIME_NUMOFFSET) >tok %timezone;
   PARTIAL_TIME    = TIME_HOUR ":" TIME_MINUTE ":" TIME_SECOND  TIME_SECFRAC?;
   FULL_TIME       = PARTIAL_TIME TIME_OFFSET;