Filebeat 6.8 syslog input fails to parse hostnames with a dash in it #15979
Description
The syslog input of Filebeat 6.8.6 fails to parse log entries properly when the hostname contains a dash. I ran into this while testing the syslog input on my test setup where my log client host is called log-client.
I was expecting everything including program and pid to be parsed into their individual fields but instead i got everything in the message field, f.e.:
log-client CRON[4427]: pam_unix(cron:session): session opened for user root by (uid=0)
Going over the code i saw the regex [a-zA-Z0-9.-_:] in syslog_rfc3164.rl that checks if a hostname is valid, which obviously lacks escaping.
This issue is (accidentally?) fixed in an unrelated PR #10760. Apart from introducing support for Cisco sequence numbers this PR also fixes several bugs in the hostname parsing by updating the regex (f.e. IPv6 addresses are now also valid hostnames)
This PR was merged to Filebeat 7 but never made it into Filebeat 6.
- Version: filebeat-6.8.6
- Operating System: Ubuntu 18.04
- Steps to Reproduce: use syslog input on host with dash in hostname, observe
messagefield contains everything after the timestamps (hostname, program, PID, message)
I will file a PR that cherrypicks #10760 into the 6.8 branch