[Filebeat] Syslog RFC5424 messages cannot be parsed on the first 9 days of each month

[manarth]

• Version: 7.13.2
• Operating System: Linux

Steps to Reproduce

• Configure a syslog input using rfc5424:

filebeat.inputs:
- type: syslog
  format: rfc5424

• Receive a syslog message specifying a date during the first 9 days of the month:

<133>1 2021-06-08T23:57:05+00:00 hostfoo facilitybar - - - [08/Jun/2021:23:57:04 +0000] debug message here

• What happens?

An error message is reported

can't parse event as syslog rfc5424

• What's expected to happen?

The message is expected to be processed.

Cause

See https://github.com/elastic/beats/blob/v7.13.2/filebeat/input/syslog/parser/syslog_rfc5424.rl#L21

DATE_MDAY       = (([12][0-9]) | ("3"[01]))>tok %day;

The Ragel definition doesn't support two-digit days beginning with 0.

See also: the generated state-machine: https://github.com/elastic/beats/blob/v7.13.2/filebeat/input/syslog/rfc5424_parser.go#L8679

Suggested fix:

DATE_MDAY       = (("0"[1-9]) | ([12][0-9]) | ("3"[01]))>tok %day;

[elasticmachine]

Pinging @elastic/agent (Team:Agent)

[kaiyan-sheng]

@manarth Thank you so much for reporting this issue. Seems like we need better testing to catch this issue. Do you mind creating a PR to fix this since you already got your suggested fix ready? TIA!

[faec]

Thanks for the report! I'll get a fix together, no worries :-)

[urso]

Fix had been merged.