Accept syslog dates with leading 0 (#27775)

This makes the RFC3164 parser accept dates with a leading 0. This makes the parser a little more liberal than the spec. From RFC3164 https://datatracker.ietf.org/doc/html/rfc3164#section-4.1.2 If the day of the month is less than 10, then it MUST be represented as a space and then the number. For example, the 7th day of August would be represented as "Aug 7", with two spaces between the "g" and the "7". So now it will accept both `Sep 01` and `Sep 1`.
elastic · Sep 7, 2021 · e66b4e6 · e66b4e6
1 parent b3497ca
commit e66b4e6
Show file tree

Hide file tree

Showing 4 changed files with 383 additions and 343 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -742,6 +742,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Update `tags` and `threatintel.indicator.provider` fields in `threatintel.anomali` ingest pipeline {issue}24746[24746] {pull}27141[27141]
 - Move AWS module and filesets to GA. {pull}27428[27428]
 - update ecs.version to ECS 1.11.0. {pull}27107[27107]
+- Added support for parsing syslog dates containing a leading 0 (e.g. `Sep 01`) rather than a space. {pull}27775[27775]
 - Add base64 Encode functionality to httpjson input. {pull}27681[27681]
 - Add `join` and `sprintf` functions to `httpjson` input. {pull}27735[27735]
 

diff --git a/filebeat/input/syslog/parser/syslog_rfc3164.rl b/filebeat/input/syslog/parser/syslog_rfc3164.rl
@@ -17,7 +17,7 @@
   month = ( "Jan" ("uary")? | "Feb" "ruary"? | "Mar" "ch"? | "Apr" "il"? | "Ma" "y"? | "Jun" "e"? | "Jul" "y"? | "Aug" "ust"? | "Sep" ("tember")? | "Oct" "ober"? | "Nov" "ember"? | "Dec" "ember"?) >tok %month;
 
   # Match: " 5" and "10" as the day
-  multiple_digits_day = (([12][0-9]) | ("3"[01]))>tok %day;
+  multiple_digits_day = (([012][0-9]) | ("3"[01]))>tok %day;
   single_digit_day = [1-9]>tok %day;
   day = (space? single_digit_day | multiple_digits_day);