enhancement(syslog source): Syslog source as a (socket+remap) composition

[prognant]

Working PoC, I kept the original source to have both sources side by side to easily compare behaviour, early tests show that all socket family (tcp/udp/af_unix) works as expected.

Right now we have slight differences in generated events:
e.g. for <13>1 2019-02-13T19:48:34+00:00 74794bfb6795 root 8449 - [meta sequenceId="1"] i am foobar
The original syslog source will produce:

{
  "appname": "root",
  "facility": "user",
  "host": "74794bfb6795",
  "hostname": "74794bfb6795",
  "message": "i am foobar",
  "meta": {
    "sequenceId": "1"
  },
  "procid": 8449,
  "service": "vector",
  "severity": "notice",
  "source_ip": "10.121.132.66",
  "source_type": "syslog",
  "timestamp": "2019-02-13T19:48:34Z",
  "version": 1
}

while the one based on the remap transform will produce:

{
  "appname": "root",
  "facility": "user",
  "host": "10.121.132.66",
  "hostname": "74794bfb6795",
  "message": "i am foobar",
  "meta.sequenceId": "1",
  "procid": 8449,
  "service": "vector",
  "severity": "notice",
  "source_type": "syslog_remap",
  "timestamp": "2019-02-13T19:48:34Z",
  "version": 1
}

I don't think the way meta.sequenceId is serialized really matters as both are ultimately equivalent.
However the host & source_ip values may require some additional work to kept the exact same behaviour if deemed mandatory.

Todo : port tests/syslog.rs to this new source for early assessment

[binarylogic]

cc @FungusHumungus on the structural differences. What do you think the best path forward is to preserving backward compatibility?

[StephenWakely]

What do you think the best path forward is to preserving backward compatibility?

The differences between the Syslog source and the Socket sources is that they use different decoders. Tcp uses a BytesDelimitedCodec (each of the socket sources are actually slightly different - but I think the principles are still largely the same), Syslog uses a custom build SyslogDecoder.

The syslog decoder handles octet counting. If the first bytes of the incoming message are numerical it uses that number to determine how long the message will be. This allows for messages containing newlines - otherwise the message will be considered only up to the first newline.

To maintain backward compatibility we need to be able to pass a parameter into the Socket source to allow you to specify the decoder to use. Possible this should be a hidden option? The Syslog source can pass the Syslog decoder to the Socket source.

A slight complication is that the Decoder is an associated type for the source, so it's not just a simple matter of being able to pass in the Decoder directly. We would likely need to create a wrapper struct that points to a dyn Decoder or something similar.

[bruceg]

As @FungusHumungus points out, this needs to handle the syslog protocol octet framing like SyslogDecoder does, in addition to tweaking the output event for field compatibility.

[bruceg]

Suggested change

	return SocketConfig::generate_config();
	SocketConfig::generate_config()

[bruceg]

We've started using the indoc! macro for things like this so they don't have to break the indentation flow like this.

[prognant]

So regarding the octet framing, we will have to keep the SyslogDecoder for TCP and af_unix/stream to handle the <LEN> <MSG> scheme properly, I will work on that. Thanks for the review !

[binarylogic]

I feel like I might be missing something. Doesn't the Remap parse_syslog function also use syslog-loose under the hood? Which our syslog source uses as well. So I don't understand how the event structure is different.

[prognant]

From my understanding the Socket source, when listening on a TCP socket, breaks the stream and generate a new event on every newline character (https://github.com/timberio/vector/blob/master/src/sources/socket/tcp.rs#L84-L86) however a single syslog message can contain one or many newline characters, thus the <LEN> <MSG> scheme described here that allows to split the incoming stream at the right places instead of every new line character (that would in some case cut a single syslog message into several pieces).

[bruceg]

I feel like I might be missing something. Doesn't the Remap parse_syslog function also use syslog-loose under the hood? Which our syslog source uses as well. So I don't understand how the event structure is different.

There are two layers to this issue. You are correct that both the syslog source and parse_syslog use the same underlying parser to convert the message text into an event. However, the syslog source also handles message framing, which is not strictly one-message-per-line when in a stream protocol like TCP, as the socket source does. So it can use VRL to parse the messages, but it also needs to handle message framing differently.

[lukesteensen]

This is looking good! Re: octet framing, we could add that functionality as an option to the socket source itself and simply configure it here. I'm not sure if there are other use cases for it outside of syslog or not.

[lukesteensen]

Instead of creating a new pipeline and spawning an additional task, I think we can just do something like:

cx.out.inlines.push(Box::new(tf));

We may want a nicer API than just making inlines a public field, but the idea is the same.

[lukesteensen]

This is an interesting bit I hadn't thought of. Maybe we should make this kind of tagging something that happens from the source context and/or pipeline as well? That way we could again just modify the context and pass it down to keep this simpler.

[prognant]

As we do it for every source it would makes sense to do it on a general basis. From what I can tell if we want to leverage the pipeline logic we could use something like the AddFields transform in the inlines vec.

[prognant]

After doing some test, digging into the current syslog source and checking syslog RFC, it appears that the default socket behaviour is never aligned with syslog requirements:

• With TCP we should re-use the existing syslog decoder
• With UDP, syslog explicitly says 1 datagram = 1 message whereas the current UDP source split incoming payload on a per line basis
• With af_unix datagram (not by the current syslog source) it should be the same (1 datagram = 1 event ) as UDP
• With af_unix stream, the existing syslog decoder should also be re-used

[prognant]

This is looking good! Re: octet framing, we could add that functionality as an option to the socket source itself and simply configure it here. I'm not sure if there are other use cases for it outside of syslog or not.

Thanks for the review, regarding the syslog decoder I don't really know where to move it, right now I relocated it with the ByteDelimitecCodec but it's very specific to syslog so it may be a little bit odd, I implement a dummy decoder wrapper as suggested by @StephenWakely, overal it works for TCP. But as stated before none of the default behaviour for socket source was suitable for syslog, requiring some decoding ajustement (see #7199 for UDP).

[prognant]

There is probably a way more idiomatic version of that.

[prognant]

As agreed let's postponed this and wait for the codec work to be completed as this seems a good usecase for this.

[pablosichert]

The "Framing and Codecs" RFC (ongoing work) can be found here #7352.

In any case, this PR is very helpful to understand where I need to take a closer look.

[jszwedko]

Closing this since @pablosichert will be revisiting with the codec work. I'll leave the branch though.