Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Filebeat] Accept syslog dates with leading 0 #27775

Merged
merged 1 commit into from
Sep 7, 2021

Conversation

andrewkroh
Copy link
Member

@andrewkroh andrewkroh commented Sep 7, 2021

What does this PR do?

This makes the RFC3164 parser accept dates with a leading 0. This makes the parser a little more liberal than the spec.

From RFC3164 https://datatracker.ietf.org/doc/html/rfc3164#section-4.1.2

If the day of the month is less than 10, then it MUST be represented as a space and then the number. For example, the 7th day of August would be represented as "Aug 7", with two spaces between the "g" and the "7".

So now it will accept both Sep 01 and Sep 1.

Checklist

  • My code follows the style guidelines of this project
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Sep 7, 2021
This makes the RFC3164 parser accept dates with a leading 0. This makes the parser a little more liberal than the spec.

From RFC3164 https://datatracker.ietf.org/doc/html/rfc3164#section-4.1.2

    If the day of the month is less than 10, then it MUST be represented as a space and then the number. For example, the 7th day of August would be represented as "Aug 7", with two spaces between the "g" and the "7".

So now it will accept both `Sep 01` and `Sep  1`.
@andrewkroh andrewkroh force-pushed the feature/fb/syslog-dates branch from 7562d48 to a49d6d4 Compare September 7, 2021 14:25
@andrewkroh andrewkroh marked this pull request as ready for review September 7, 2021 14:25
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@elasticmachine
Copy link
Collaborator

Pinging @elastic/agent (Team:Agent)

@kvch
Copy link
Contributor

kvch commented Sep 7, 2021

While we are at it, shouldn't we also make the RFC 5424 format more lenient as well?

@andrewkroh
Copy link
Member Author

andrewkroh commented Sep 7, 2021

I don't think so because it uses only the well-defined RFC3339 (e.g. 2003-10-11T22:14:15.003Z). https://datatracker.ietf.org/doc/html/rfc5424#section-6.2.3

Copy link
Contributor

@adriansr adriansr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@andrewkroh
Copy link
Member Author

run elasticsearch-ci/docs

@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2021-09-07T14:25:52.451+0000

  • Duration: 98 min 29 sec

  • Commit: a49d6d4

Test stats 🧪

Test Results
Failed 0
Passed 15227
Skipped 2314
Total 17541

Trends 🧪

Image of Build Times

Image of Tests

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 15227
Skipped 2314
Total 17541

@andrewkroh andrewkroh added the backport-v7.16.0 Automated backport with mergify label Sep 7, 2021
@andrewkroh andrewkroh merged commit e66b4e6 into elastic:master Sep 7, 2021
mergify bot pushed a commit that referenced this pull request Sep 7, 2021
This makes the RFC3164 parser accept dates with a leading 0. This makes the parser a little more liberal than the spec.

From RFC3164 https://datatracker.ietf.org/doc/html/rfc3164#section-4.1.2

    If the day of the month is less than 10, then it MUST be represented as a space and then the number. For example, the 7th day of August would be represented as "Aug 7", with two spaces between the "g" and the "7".

So now it will accept both `Sep 01` and `Sep  1`.

(cherry picked from commit e66b4e6)
andrewkroh added a commit that referenced this pull request Sep 9, 2021
This makes the RFC3164 parser accept dates with a leading 0. This makes the parser a little more liberal than the spec.

From RFC3164 https://datatracker.ietf.org/doc/html/rfc3164#section-4.1.2

    If the day of the month is less than 10, then it MUST be represented as a space and then the number. For example, the 7th day of August would be represented as "Aug 7", with two spaces between the "g" and the "7".

So now it will accept both `Sep 01` and `Sep  1`.

(cherry picked from commit e66b4e6)

Co-authored-by: Andrew Kroh <[email protected]>
mdelapenya added a commit to mdelapenya/beats that referenced this pull request Sep 9, 2021
* master: (39 commits)
  [Heartbeat] Move JSON tests from python->go (elastic#27816)
  docs: simplify permissions for Dockerfile COPY (elastic#27754)
  Osquerybeat: Fix osquery logger plugin severy levels mapping (elastic#27789)
  [Filebeat] Update compatibility function to remove processor description on ES < 7.9.0 (elastic#27774)
  warn log entry and no validation failure when both queue_url and buck… (elastic#27612)
  libbeat/cmd/instance: ensure test config file has appropriate permissions (elastic#27178)
  [Heartbeat] Add httpcommon options to ZipURL (elastic#27699)
  Add a header round tripper option to httpcommon (elastic#27509)
  [Elastic Agent] Add validation to ensure certificate paths are absolute. (elastic#27779)
  Rename dashboards according to module.yml files for master (elastic#27749)
  Refactor vagrantfile, add scripts for provisioning with docker/kind (elastic#27726)
  Accept syslog dates with leading 0 (elastic#27775)
  [Filebeat] Add timezone config option to decode_cef and syslog input (elastic#27727)
  [Filebeat] Threatintel compatibility updates (elastic#27323)
  Add support for ephemeral containers in elastic agent dynamic provider (elastic#27707)
  [Filebeat] Integration tests in CI for AWS-S3 input (elastic#27491)
  Fix flakyness of TestFilestreamEmptyLine (elastic#27705)
  [Filebeat] kafka v2 using parsers (elastic#27335)
  Update Kafka version parsing / supported range (elastic#27720)
  Update Sarama to 1.29.1 (elastic#27717)
  ...
Icedroid pushed a commit to Icedroid/beats that referenced this pull request Nov 1, 2021
This makes the RFC3164 parser accept dates with a leading 0. This makes the parser a little more liberal than the spec.

From RFC3164 https://datatracker.ietf.org/doc/html/rfc3164#section-4.1.2

    If the day of the month is less than 10, then it MUST be represented as a space and then the number. For example, the 7th day of August would be represented as "Aug 7", with two spaces between the "g" and the "7".

So now it will accept both `Sep 01` and `Sep  1`.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport-v7.16.0 Automated backport with mergify enhancement Filebeat Filebeat Team:Elastic-Agent Label for the Agent team
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants