diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index fe61234ea9d8..34911a6bc992 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -108,6 +108,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...main[Check the HEAD dif - Add cronjob metadata by default {pull}30637[30637] - New option `setup.template.json.data_stream` is added to indicate if the JSON index template is a data stream. {pull}31048[31048] - Add support for port mapping in docker hints. {pull}31243[31243] +- Relax timestamp syntax for RFC3164 syslog to allow leading zero on day. {issue}16824[16824] {pull}31254[31254] *Auditbeat* diff --git a/libbeat/reader/syslog/docs/syslog.asciidoc b/libbeat/reader/syslog/docs/syslog.asciidoc index 9fa25c154478..85bf6a84d628 100644 --- a/libbeat/reader/syslog/docs/syslog.asciidoc +++ b/libbeat/reader/syslog/docs/syslog.asciidoc @@ -40,6 +40,8 @@ filebeat.inputs: The RFC 3164 format accepts the following forms of timestamps: * Local timestamp (`Mmm dd hh:mm:ss`): + ** `Jan 3 14:09:01` + ** `Jan 03 14:09:01` ** `Jan 23 14:09:01` * RFC-3339*: ** `2003-10-11T22:14:15Z` @@ -47,6 +49,9 @@ The RFC 3164 format accepts the following forms of timestamps: ** `2003-10-11T22:14:15-06:00` ** `2003-10-11T22:14:15.123456-06:00` +As an extension to RFC 3164, dates with a day that has a leading zero are allowed. For +example, `Feb 08 08:59:59` is accepted as well as the RFC-compliant `Feb 8 08:59:59`. + *Note*: The local timestamp (for example, `Jan 23 14:09:01`) that accompanies an RFC 3164 message lacks year and time zone information. The time zone will be enriched using the `timezone` configuration option, and the year will be enriched using the diff --git a/libbeat/reader/syslog/parser/common.rl b/libbeat/reader/syslog/parser/common.rl index a360822f6aa1..5501c089f6bb 100644 --- a/libbeat/reader/syslog/parser/common.rl +++ b/libbeat/reader/syslog/parser/common.rl @@ -71,7 +71,7 @@ # Timestamp timestamp_rfc3339 = (ts_yyyymmdd 'T' ts_hhmmss ('.' digit{1,6})? ts_offset) >tok %set_timestamp_rfc3339 $err(err_timestamp); - timestamp_bsd = (month_str . sp . day_nopad . sp . ts_hhmmss) >tok %set_timestamp_bsd $err(err_timestamp); + timestamp_bsd = (month_str . sp . (day_nopad|day) . sp . ts_hhmmss) >tok %set_timestamp_bsd $err(err_timestamp); # Hostname hostname_range = graph{1,255}; diff --git a/libbeat/reader/syslog/rfc3164_gen.go b/libbeat/reader/syslog/rfc3164_gen.go index f2cff50ae71d..c29d77b6601b 100644 --- a/libbeat/reader/syslog/rfc3164_gen.go +++ b/libbeat/reader/syslog/rfc3164_gen.go @@ -5079,6 +5079,8 @@ func parseRFC3164(data string, loc *time.Location) (message, error) { switch data[p] { case 32: goto st303 + case 48: + goto st303 case 51: goto st316 } @@ -5235,7 +5237,7 @@ func parseRFC3164(data string, loc *time.Location) (message, error) { goto _test_eof318 } st_case_318: -//line rfc3164_gen.go:5230 +//line rfc3164_gen.go:5232 if data[p] == 101 { goto st319 } @@ -5260,7 +5262,7 @@ func parseRFC3164(data string, loc *time.Location) (message, error) { goto _test_eof320 } st_case_320: -//line rfc3164_gen.go:5255 +//line rfc3164_gen.go:5257 if data[p] == 101 { goto st321 } @@ -5285,7 +5287,7 @@ func parseRFC3164(data string, loc *time.Location) (message, error) { goto _test_eof322 } st_case_322: -//line rfc3164_gen.go:5280 +//line rfc3164_gen.go:5282 switch data[p] { case 97: goto st323 @@ -5325,7 +5327,7 @@ func parseRFC3164(data string, loc *time.Location) (message, error) { goto _test_eof325 } st_case_325: -//line rfc3164_gen.go:5320 +//line rfc3164_gen.go:5322 if data[p] == 97 { goto st326 } @@ -5353,7 +5355,7 @@ func parseRFC3164(data string, loc *time.Location) (message, error) { goto _test_eof327 } st_case_327: -//line rfc3164_gen.go:5348 +//line rfc3164_gen.go:5350 if data[p] == 111 { goto st328 } @@ -5378,7 +5380,7 @@ func parseRFC3164(data string, loc *time.Location) (message, error) { goto _test_eof329 } st_case_329: -//line rfc3164_gen.go:5373 +//line rfc3164_gen.go:5375 if data[p] == 99 { goto st330 } @@ -5403,7 +5405,7 @@ func parseRFC3164(data string, loc *time.Location) (message, error) { goto _test_eof331 } st_case_331: -//line rfc3164_gen.go:5398 +//line rfc3164_gen.go:5400 if data[p] == 101 { goto st332 } @@ -5428,7 +5430,7 @@ func parseRFC3164(data string, loc *time.Location) (message, error) { goto _test_eof333 } st_case_333: -//line rfc3164_gen.go:5423 +//line rfc3164_gen.go:5425 switch data[p] { case 57: goto st335 @@ -5450,7 +5452,7 @@ func parseRFC3164(data string, loc *time.Location) (message, error) { goto _test_eof334 } st_case_334: -//line rfc3164_gen.go:5445 +//line rfc3164_gen.go:5447 if data[p] == 62 { goto tr5 } @@ -6622,7 +6624,7 @@ func parseRFC3164(data string, loc *time.Location) (message, error) { err = ErrHostname p-- -//line rfc3164_gen.go:5870 +//line rfc3164_gen.go:5872 } } diff --git a/libbeat/reader/syslog/rfc3164_test.go b/libbeat/reader/syslog/rfc3164_test.go index 3685405c98f0..558e9089a16d 100644 --- a/libbeat/reader/syslog/rfc3164_test.go +++ b/libbeat/reader/syslog/rfc3164_test.go @@ -76,6 +76,17 @@ var parseRFC3164Cases = map[string]struct { msg: "this is the message", }, }, + "non-standard-date": { + In: "<123>Sep 01 02:03:04 hostname message", + Want: message{ + timestamp: mustParseTimeLoc(time.Stamp, "Sep 1 02:03:04", time.Local), + priority: 123, + facility: 15, + severity: 3, + hostname: "hostname", + msg: "message", + }, + }, "err-pri-not-a-number": { In: "Oct 11 22:14:15 test-host this is the message", WantErr: ErrPriority,