From 383265c7e2b1e00921bd7eff8c18825d2ca4dc61 Mon Sep 17 00:00:00 2001
From: HiroYin-FP <zehong.yin@funplus.com>
Date: Tue, 14 Nov 2017 11:10:03 +0800
Subject: [PATCH 1/3] Packetbeat, mysql proto, add \r to trim SQLs captured
 from app running on Windows server. Otherwise method extracted including \r,
 which is problem. e.g. "SELECT\r\n\t1"

---
 packetbeat/protos/mysql/mysql.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packetbeat/protos/mysql/mysql.go b/packetbeat/protos/mysql/mysql.go
index 4e3e1806da7..33c20d463ca 100644
--- a/packetbeat/protos/mysql/mysql.go
+++ b/packetbeat/protos/mysql/mysql.go
@@ -605,8 +605,8 @@ func (mysql *mysqlPlugin) receivedMysqlRequest(msg *mysqlMessage) {
 
 	// Extract the method, by simply taking the first word and
 	// making it upper case.
-	query := strings.Trim(msg.query, " \n\t")
-	index := strings.IndexAny(query, " \n\t")
+	query := strings.Trim(msg.query, " \r\n\t")
+	index := strings.IndexAny(query, " \r\n\t")
 	var method string
 	if index > 0 {
 		method = strings.ToUpper(query[:index])

From 1abd2f166ff73d2e047bebd7256f9b9bd7badcfe Mon Sep 17 00:00:00 2001
From: timesking <timesking@gmail.com>
Date: Thu, 16 Nov 2017 14:31:43 +0800
Subject: [PATCH 2/3] Packetbeat, test case for windows lineending

---
 .../pcaps/mysql_windows_lineending.pcap       | Bin 0 -> 757 bytes
 .../test_0064_mysql_windows_lineending.py     |  24 ++++++++++++++++++
 2 files changed, 24 insertions(+)
 create mode 100644 packetbeat/tests/system/pcaps/mysql_windows_lineending.pcap
 create mode 100644 packetbeat/tests/system/test_0064_mysql_windows_lineending.py

diff --git a/packetbeat/tests/system/pcaps/mysql_windows_lineending.pcap b/packetbeat/tests/system/pcaps/mysql_windows_lineending.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c6219bc12a4d8474ae536546b95d125aada4a10d
GIT binary patch
literal 757
zcmca|c+)~A1{MYcU}0bca_;r>MQ!tDWC#MXK{z67<Jq#lgdegiPpfe-xH2%fluJ1<
zIIyW7;bO4m=VI_WeyX46mF6bXb-R{mt29Um2zT9NU|?kA;NlC~q5Y-b?jH}(6y{)8
zA6MrPUM@~U>-#_(Cfai_Q~||77-BZW9-s{z3^}|<9T@D{CcXrj4zh*k)v11v=|Efd
zHApZNr5%RY@TK2117r)(-HeRl3=B-nDXD2d6B!K|c<jNx;b;VM8CZc1_y=MzF)*+&
z8UnejU@pidAAl}#0!o1}hF?vDB0zranTF=qeL&a5GzbU?t^n$S_;v3BkZV9D9&zJf
za0iNmFoubio|+&NLl0mzQ9?j)=_j~}3qdA=;)D@qEN+LgzXTaOofXa4!(fLB3J5O$
ziE8X4phFekvckQN5eX)|$3T%VNdYYqVt|owxIvJiXyYY_iC_A?_4tDJE(DpVjNioL
zU=!uhOpFDZc%(r9XyQq@iDobpYmrRE2uzcA*FnDCAcn=)u?;|9Pj7<x`a~eeodDq?
B+Hn8?

literal 0
HcmV?d00001

diff --git a/packetbeat/tests/system/test_0064_mysql_windows_lineending.py b/packetbeat/tests/system/test_0064_mysql_windows_lineending.py
new file mode 100644
index 00000000000..6589a90eb74
--- /dev/null
+++ b/packetbeat/tests/system/test_0064_mysql_windows_lineending.py
@@ -0,0 +1,24 @@
+from packetbeat import BaseTest
+
+"""
+Tests for MySQL messages with Windows line ending \\r\\n.
+"""
+
+
+class Test(BaseTest):
+
+    def test_rn(self):
+        """
+        Should get method "SELECT" instead of "SELECT\\r"
+        """
+        self.render_config_template(
+            mysql_ports=[3306],
+        )
+        self.run_packetbeat(pcap="mysql_windows_lineending.pcap")
+
+        objs = self.read_output()
+        assert len(objs) == 1
+        o = objs[0]
+
+        assert o["status"] == "OK"
+        assert o["method"] == "SELECT"

From 002f1284a01c34fc82d0055683cd63b6a9675763 Mon Sep 17 00:00:00 2001
From: timesking <timesking@gmail.com>
Date: Fri, 5 Jan 2018 15:15:42 +0800
Subject: [PATCH 3/3] Packetbeat, changes log for windows lineending

---
 CHANGELOG.asciidoc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
index 3e4b1d5f76d..1edfb0dc586 100644
--- a/CHANGELOG.asciidoc
+++ b/CHANGELOG.asciidoc
@@ -92,6 +92,7 @@ https://github.com/elastic/beats/compare/v6.0.0-beta2...master[Check the HEAD di
 
 - Fix http status phrase parsing not allow spaces. {pull}5312[5312]
 - Fix http parse to allow to parse get request with space in the URI. {pull}5495[5495]
+- Fix mysql SQL parser to trim `\r` from Windows Server `SELECT\r\n\t1`. {pull}5572[5572]
 
 *Winlogbeat*