fix: syslog parser

Fixes a condition when the timestamp contains a single digit day. This started failing when the month started :sweat_smile. Also handle a case when `tag` and `hostname` are both missing. Signed-off-by: Noel Georgi <git@frezbo.dev>
siderolabs · Mar 4, 2024 · f23bd81 · f23bd81
1 parent bbed07e
commit f23bd81
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 6 deletions.
diff --git a/internal/app/syslogd/internal/parser/parse.go b/internal/app/syslogd/internal/parser/parse.go
@@ -9,6 +9,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"slices"
 
 	"github.com/jeromer/syslogparser"
 	"github.com/jeromer/syslogparser/rfc3164"
@@ -29,9 +30,17 @@ func Parse(b []byte) (string, error) {
 
 	switch rfc {
 	case syslogparser.RFC_3164:
-		parser = rfc3164.NewParser(b)
+		input := slices.Clone(b)
 
-		if rfc3164ContainsHostname(b) {
+		tagPresent, hostnamePresent := rfc3164ContainsTagHostname(b)
+
+		if !tagPresent {
+			input = enhanceRFC3164WithTag(b)
+		}
+
+		parser = rfc3164.NewParser(input)
+
+		if !hostnamePresent {
 			parser.WithHostname("localhost")
 		}
 	case syslogparser.RFC_5424:
@@ -52,11 +61,51 @@ func Parse(b []byte) (string, error) {
 	return string(msg), nil
 }
 
-func rfc3164ContainsHostname(buf []byte) bool {
+func rfc3164ContainsTagHostname(buf []byte) (bool, bool) {
 	indx := bytes.Index(buf, []byte(`]:`))
 	if indx == -1 {
-		return false
+		return false, false
+	}
+
+	// handle case when timestamp is of the format `<6>Mar  3 12:55:18`
+	if len(bytes.Split(buf[:indx], []byte(`  `))) > 1 {
+		return true, false
+	}
+
+	return true, bytes.Count(buf[:indx], []byte(` `)) > 3
+}
+
+func enhanceRFC3164WithTag(buf []byte) []byte {
+	var count int
+
+	spaces := 3
+
+	singleDigitDayIndex := bytes.Index(buf, []byte(`  `))
+	if singleDigitDayIndex != -1 && singleDigitDayIndex < 8 {
+		spaces = 4
 	}
 
-	return bytes.Count(buf[:indx], []byte(` `)) == 3
+	i := bytes.IndexFunc(buf, func(r rune) bool {
+		if r == rune(' ') {
+			count++
+		}
+
+		if count == spaces {
+			return true
+		}
+
+		return false
+	},
+	)
+
+	initial := buf[:i]
+	remaining := buf[i:]
+
+	var syslogBytes bytes.Buffer
+
+	syslogBytes.Write(initial)
+	syslogBytes.WriteString(" unknown:")
+	syslogBytes.Write(remaining)
+
+	return syslogBytes.Bytes()
 }
diff --git a/internal/app/syslogd/internal/parser/parse_test.go b/internal/app/syslogd/internal/parser/parse_test.go
@@ -22,7 +22,17 @@ func TestParser(t *testing.T) {
 		{
 			name:     "RFC3164 without tag and hostname",
 			input:    []byte(`<4>Feb 16 17:54:19 time="2024-02-16T17:54:19.857755073Z" level=warning msg="Could not add /dev/mshv to the devices cgroup`),
-			expected: `{"content":"msg=\"Could not add /dev/mshv to the devices cgroup","facility":0,"hostname":"time=\"2024-02-16T17:54:19.857755073Z\"","priority":4,"severity":4,"tag":"level=warning","timestamp":"2024-02-16T17:54:19Z"}`, //nolint:lll
+			expected: `{"content":"time=\"2024-02-16T17:54:19.857755073Z\" level=warning msg=\"Could not add /dev/mshv to the devices cgroup","facility":0,"hostname":"localhost","priority":4,"severity":4,"tag":"unknown","timestamp":"2024-02-16T17:54:19Z"}`, //nolint:lll
+		},
+		{
+			name:     "RFC3164 timestamp contains single digit day",
+			input:    []byte(`<6>Mar  3 12:55:18 syslogd_test[834097]: Hello, syslogd!`),
+			expected: `{"content":"Hello, syslogd!","facility":0,"hostname":"localhost","priority":6,"severity":6,"tag":"syslogd_test","timestamp":"2024-03-03T12:55:18Z"}`,
+		},
+		{
+			name:     "RFC3164 timestamp contains single digit day & without tag and hostname",
+			input:    []byte(`<6>Mar  3 12:55:18 Hello, syslogd!`),
+			expected: `{"content":"Hello, syslogd!","facility":0,"hostname":"localhost","priority":6,"severity":6,"tag":"unknown","timestamp":"2024-03-03T12:55:18Z"}`,
 		},
 		{
 			name:     "RFC3164 without hostname",