From f23bd81448b640b37006d6bfffa9315f84cad492 Mon Sep 17 00:00:00 2001 From: Noel Georgi Date: Sun, 3 Mar 2024 13:18:33 +0530 Subject: [PATCH] fix: syslog parser Fixes a condition when the timestamp contains a single digit day. This started failing when the month started :sweat_smile. Also handle a case when `tag` and `hostname` are both missing. Signed-off-by: Noel Georgi --- internal/app/syslogd/internal/parser/parse.go | 59 +++++++++++++++++-- .../app/syslogd/internal/parser/parse_test.go | 12 +++- 2 files changed, 65 insertions(+), 6 deletions(-) diff --git a/internal/app/syslogd/internal/parser/parse.go b/internal/app/syslogd/internal/parser/parse.go index 1c39ddcc61..45ba06407f 100644 --- a/internal/app/syslogd/internal/parser/parse.go +++ b/internal/app/syslogd/internal/parser/parse.go @@ -9,6 +9,7 @@ import ( "bytes" "encoding/json" "fmt" + "slices" "github.com/jeromer/syslogparser" "github.com/jeromer/syslogparser/rfc3164" @@ -29,9 +30,17 @@ func Parse(b []byte) (string, error) { switch rfc { case syslogparser.RFC_3164: - parser = rfc3164.NewParser(b) + input := slices.Clone(b) - if rfc3164ContainsHostname(b) { + tagPresent, hostnamePresent := rfc3164ContainsTagHostname(b) + + if !tagPresent { + input = enhanceRFC3164WithTag(b) + } + + parser = rfc3164.NewParser(input) + + if !hostnamePresent { parser.WithHostname("localhost") } case syslogparser.RFC_5424: @@ -52,11 +61,51 @@ func Parse(b []byte) (string, error) { return string(msg), nil } -func rfc3164ContainsHostname(buf []byte) bool { +func rfc3164ContainsTagHostname(buf []byte) (bool, bool) { indx := bytes.Index(buf, []byte(`]:`)) if indx == -1 { - return false + return false, false + } + + // handle case when timestamp is of the format `<6>Mar 3 12:55:18` + if len(bytes.Split(buf[:indx], []byte(` `))) > 1 { + return true, false + } + + return true, bytes.Count(buf[:indx], []byte(` `)) > 3 +} + +func enhanceRFC3164WithTag(buf []byte) []byte { + var count int + + spaces := 3 + + singleDigitDayIndex := bytes.Index(buf, []byte(` `)) + if singleDigitDayIndex != -1 && singleDigitDayIndex < 8 { + spaces = 4 } - return bytes.Count(buf[:indx], []byte(` `)) == 3 + i := bytes.IndexFunc(buf, func(r rune) bool { + if r == rune(' ') { + count++ + } + + if count == spaces { + return true + } + + return false + }, + ) + + initial := buf[:i] + remaining := buf[i:] + + var syslogBytes bytes.Buffer + + syslogBytes.Write(initial) + syslogBytes.WriteString(" unknown:") + syslogBytes.Write(remaining) + + return syslogBytes.Bytes() } diff --git a/internal/app/syslogd/internal/parser/parse_test.go b/internal/app/syslogd/internal/parser/parse_test.go index 9ce40bbf61..6ae6ccad83 100644 --- a/internal/app/syslogd/internal/parser/parse_test.go +++ b/internal/app/syslogd/internal/parser/parse_test.go @@ -22,7 +22,17 @@ func TestParser(t *testing.T) { { name: "RFC3164 without tag and hostname", input: []byte(`<4>Feb 16 17:54:19 time="2024-02-16T17:54:19.857755073Z" level=warning msg="Could not add /dev/mshv to the devices cgroup`), - expected: `{"content":"msg=\"Could not add /dev/mshv to the devices cgroup","facility":0,"hostname":"time=\"2024-02-16T17:54:19.857755073Z\"","priority":4,"severity":4,"tag":"level=warning","timestamp":"2024-02-16T17:54:19Z"}`, //nolint:lll + expected: `{"content":"time=\"2024-02-16T17:54:19.857755073Z\" level=warning msg=\"Could not add /dev/mshv to the devices cgroup","facility":0,"hostname":"localhost","priority":4,"severity":4,"tag":"unknown","timestamp":"2024-02-16T17:54:19Z"}`, //nolint:lll + }, + { + name: "RFC3164 timestamp contains single digit day", + input: []byte(`<6>Mar 3 12:55:18 syslogd_test[834097]: Hello, syslogd!`), + expected: `{"content":"Hello, syslogd!","facility":0,"hostname":"localhost","priority":6,"severity":6,"tag":"syslogd_test","timestamp":"2024-03-03T12:55:18Z"}`, + }, + { + name: "RFC3164 timestamp contains single digit day & without tag and hostname", + input: []byte(`<6>Mar 3 12:55:18 Hello, syslogd!`), + expected: `{"content":"Hello, syslogd!","facility":0,"hostname":"localhost","priority":6,"severity":6,"tag":"unknown","timestamp":"2024-03-03T12:55:18Z"}`, }, { name: "RFC3164 without hostname",