Improve syslog parser/processor error handling

[taylor-swanson]

What does this PR do?

• Use multierr to catch multiple errors during processing.
• Priority field for RFC 3164 messages are now optional, as some
  syslog providers will omit the priority part of the header.
• If an error occurs, any fields that were already parsed will
  be returned, alongside error.message.
• Added flag for timestamp set, which prevents setting the event
  timestamp to the zero time in case it was omitted or not parsed.

Why is it important?

We should be giving back as much data to the user as possible, even if an error occurs. This will also lay the foundation for further improvements to the parser itself. Currently, when a parsing error is encountered, the parser will stop processing and exit early. While this is fine for early EOFs, it can be problematic if we hit a more minor problem, such as a slight deviation from RFC. I attempted to change the parser to do this, but it proved to be too time consuming and complicated, at least for right now.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

go test github.com/elastic/beats/v7/libbeat/reader/syslog
go test github.com/elastic/beats/v7/libbeat/processors/syslog

Related issues

• Relates Make Syslog parser/processor handle errors more gracefully #31246

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-04-26T13:50:44.667+0000

• Duration: 31 min 40 sec

Test stats 🧪

Test	Results
Failed	0
Passed	3978
Skipped	915
Total	4893

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[efd6]

Initial comments.

[efd6]

I'd replace all these , with a single nolint on the if statements

[taylor-swanson]

If you're referring to removing the explicit discards on the return values, I'd rather keep them in place. While it is more verbose, it makes it more clear to the reader that return values are being ignored here.

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b syslog-error-handling upstream/syslog-error-handling
git merge upstream/main
git push upstream syslog-error-handling

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[efd6]

t = t.AddDate(time.Now().In(loc).Year()-t.Year()+1, 0, 0) or add a comment about why this is being done (the parameter provided context, but now that is lost).

Alternatively, the parameter could come back and the two functions be merged into func mustParseTimeLoc(layout string, value string, loc *time.Location) time.Time where the loc is not used for formats that provide it (e.g. called like mustParseTime(time.RFC3339Nano, "2003-10-11T22:14:15.003Z", nil) and mustParseTime(time.Stamp, "Oct 11 22:14:15", cfgtype.MustNewTimezone("America/Chicago").Location())).

[taylor-swanson]

This is one of the reasons why I didn't want to remove the parameter. Context is being lost on why this is being done. What I had before wasn't perfect and only added the year when time.Stamp was used. Alternatively, I can look at the time's year and if it's zero I'll enrich it with the current year. I'd rather do that than blindly apply this to all timestamps that are seen (no need to do it if the time already has a valid year).

I like what you're suggesting in the second paragraph. I never liked getting rid of the layout parameter since meaning was lost on the caller side. I'll combine the two functions into one and update the calls, and add some doc strings as well.

[efd6]

This is the unfortunate consequence of including style linting in the CI failure path; it is entirely possible for a linter to push towards worse code.

[efd6]

Can we differentiate error states that are recoverable from error states that give us no usable information. Also add a not on the godoc to the effect that the error doesn't necessarily preclude use of the fields.

[taylor-swanson]

At the moment, I don't think so. The parser isn't set up to recover from an error state yet. It can either try again for the exact same result, or it tumbles out with a bunch of errors and partially filled fields, all depends on where and how it fails. That's something I plan to address in the next round of changes.

[efd6]

Thanks.

[kvch]

Why did you remove this test case? It is true that priority might be missing, but what if the priority is supposed to be there but formatted incorrectly? I think this test case is still valid.

[taylor-swanson]

It isn't, at least in terms of checking if the priority is correct or not. The parser looks for a starting <, if it's not present, then it goes to the next state, which is the timestamp. It can do this now since priority values are now optional. Since we start with a number here, it will try to parse it as an RFC3339 timestamp, which will ultimately fail.

I'll restore the test, but it will have to switch to checking for an ErrTimestamp instead of ErrPriority for the reason stated above.

[taylor-swanson]

/test

[taylor-swanson]

/test

[taylor-swanson]

I'm going to abandon this PR in favor of my next round of changes that I'm working on, which are nearly done. I'll apply the discussions we've had here towards the new code as well (it was building on everything we talked about here).