libbeat/reader/syslog: relax timestamp parsing to allow leading zero

This change relaxes the RFC3164 timestamp grammar to allow dates with a leading
zero to be parsed as valid syslog timestamps, bringing the parser's behaviour into
line with the parser in filebeat/input/syslog.

CHANGELOG.next.asciidoc

@@ -106,6 +106,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...main[Check the HEAD dif
 - Add cronjob metadata by default {pull}30637[30637]
 - New option `setup.template.json.data_stream` is added to indicate if the JSON index template is a data stream. {pull}31048[31048]
 - Add support for port mapping in docker hints. {pull}31243[31243]
+- Relax timestamp syntax for RFC3164 syslog to allow leading zero on day. {issue}16824[16824] {pull}31254[31254]
 
 *Auditbeat*
 

libbeat/reader/syslog/parser/common.rl

@@ -71,7 +71,7 @@
 
     # Timestamp
     timestamp_rfc3339 = (ts_yyyymmdd 'T' ts_hhmmss ('.' digit{1,6})? ts_offset) >tok %set_timestamp_rfc3339 $err(err_timestamp);
-    timestamp_bsd     = (month_str . sp . day_nopad . sp . ts_hhmmss) >tok %set_timestamp_bsd $err(err_timestamp);
+    timestamp_bsd     = (month_str . sp . (day_nopad|day) . sp . ts_hhmmss) >tok %set_timestamp_bsd $err(err_timestamp);
 
     # Hostname
     hostname_range    = graph{1,255};

libbeat/reader/syslog/rfc3164_test.go

@@ -76,6 +76,17 @@ var parseRFC3164Cases = map[string]struct {
 			msg:       "this is the message",
 		},
 	},
+	"non-standard-date": {
+		In: "<123>Sep 01 02:03:04 hostname message",
+		Want: message{
+			timestamp: mustParseTimeLoc(time.Stamp, "Sep 1 02:03:04", time.Local),
+			priority:  123,
+			facility:  15,
+			severity:  3,
+			hostname:  "hostname",
+			msg:       "message",
+		},
+	},
 	"err-pri-not-a-number": {
 		In:      "<abc>Oct 11 22:14:15 test-host this is the message",
 		WantErr: ErrPriority,