Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Typo in syslog_rfc3164.rl causes parsing errors for December syslog dates #9323

Closed
rhclayto opened this issue Dec 2, 2018 · 4 comments
Closed

Typo in syslog_rfc3164.rl causes parsing errors for December syslog dates #9323

rhclayto opened this issue Dec 2, 2018 · 4 comments
Assignees
@ph
Labels
bug Filebeat Filebeat

Comments

@rhclayto
Copy link

rhclayto commented Dec 2, 2018
edited

For confirmed bugs, please report:

2018-12-02T07:38:44.727Z	ERROR	[syslog]	syslog/input.go:114	can't not parse event as syslog rfc3164	{"message": "Dec 02 07:38:44 freebsd-11-2 crontab[81334]: (root) BEGIN EDIT (root)"}

This is a properly formatted rfc3164 syslog message, as far as I can tell. Looking at the source code, the month strings are defined in the file syslog_rfc3164.rl. The definition is:

month = ( "Jan" ("uary")? | "Feb" "ruary"? | "Mar" "ch"? | "Apr" "il"? | "Ma" "y"? | "Jun" "e"? | "Jul" "y"? | "Aug" "ust"? | "Sep" ("tember")? | "Oct" "ober"? | "Nov" "ember"? | "ec" "ember"?) >tok %month;

I'm guessing that it should be:

month = ( "Jan" ("uary")? | "Feb" "ruary"? | "Mar" "ch"? | "Apr" "il"? | "Ma" "y"? | "Jun" "e"? | "Jul" "y"? | "Aug" "ust"? | "Sep" ("tember")? | "Oct" "ober"? | "Nov" "ember"? | "Dec" "ember"?) >tok %month;

That is, there is a missing capital D from the December string. Because of this, any syslog message with the month of December in the date will trigger the error.

Edit: I built a filebeat binary on FreeBSD (had to get rid of some gosigar stuff that doesn't work on FreeBSD, HugeTLBPages) with the file patched. However, I am still getting the error message in my logs:

2018-12-02T09:12:16.988Z	ERROR	[syslog]	syslog/input.go:131	can't not parse event as syslog rfc3164	{"message": "Dec 02 09:12:16 freebsd-11-2 crontab[51480]: (root) BEGIN EDIT (root)"}

Any ideas, then, what might be causing this problem?
@rhclayto rhclayto mentioned this issue Dec 2, 2018
Merged
@ph ph mentioned this issue Dec 3, 2018
Merged
@ph
Copy link
Contributor

ph commented Dec 3, 2018

Fix is in #9349

@ph
Copy link
Contributor

ph commented Dec 3, 2018

Edit: I built a filebeat binary on FreeBSD (had to get rid of some gosigar stuff that doesn't work on FreeBSD, HugeTLBPages) with the file patched. However, I am still getting the error message in my logs:

You need to use ragel to regenerate the state machine or use my PR which include the fix and the regenerated parser.

@ph ph self-assigned this Dec 3, 2018
@ph ph added bug Filebeat Filebeat labels Dec 3, 2018
@ph ph closed this as completed in #9349 Dec 3, 2018
This was referenced Dec 3, 2018
Merged
Merged
Closed
Merged
@rhclayto
Copy link
Author

rhclayto commented Dec 3, 2018

You need to use ragel to regenerate the state machine or use my PR which include the fix and the regenerated parser.

What is the command-line you use for the ragel generation?

@ph
Copy link
Contributor

ph commented Dec 3, 2018

@rhclayto If you have ragel installed, you just have to run go generate in the syslog folder and it will generate the file.

But just take the PR I've made #9349 the file is already generated.

ph added a commit that referenced this issue Dec 4, 2018
@ph
Cherry-pick #9349 to 6.x: Fix a typo in the syslog parser to correctl…
f8f6801 
…y parse December or Dec (#9352)

Cherry-pick of PR #9349 to 6.x branch. Original message: 

The syslog parser was missing a `D` in the month, so it was failling to
parse common syslog event from december, this PR add the missing letter
and also add an unit test to cover both the short and full month format.

Fixes: #9323

--- 
Reported at https://discuss.elastic.co/t/typo-in-syslog-rfc3164-rl-causes-parsing-errors-for-december-syslog-dates/159030
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ph ph

Labels
bug Filebeat Filebeat
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ph @rhclayto