Skip to content

Typo in syslog_rfc3164.rl causes parsing errors for December syslog dates #9323

Closed
Closed
Typo in syslog_rfc3164.rl causes parsing errors for December syslog dates#9323
Assignees
ph
Labels
FilebeatFilebeatbug
@rhclayto

Description

@rhclayto
rhclayto
opened on Dec 2, 2018

For confirmed bugs, please report:

2018-12-02T07:38:44.727Z	ERROR	[syslog]	syslog/input.go:114	can't not parse event as syslog rfc3164	{"message": "Dec 02 07:38:44 freebsd-11-2 crontab[81334]: (root) BEGIN EDIT (root)"}

This is a properly formatted rfc3164 syslog message, as far as I can tell. Looking at the source code, the month strings are defined in the file syslog_rfc3164.rl. The definition is:

month = ( "Jan" ("uary")? | "Feb" "ruary"? | "Mar" "ch"? | "Apr" "il"? | "Ma" "y"? | "Jun" "e"? | "Jul" "y"? | "Aug" "ust"? | "Sep" ("tember")? | "Oct" "ober"? | "Nov" "ember"? | "ec" "ember"?) >tok %month;

I'm guessing that it should be:

month = ( "Jan" ("uary")? | "Feb" "ruary"? | "Mar" "ch"? | "Apr" "il"? | "Ma" "y"? | "Jun" "e"? | "Jul" "y"? | "Aug" "ust"? | "Sep" ("tember")? | "Oct" "ober"? | "Nov" "ember"? | "Dec" "ember"?) >tok %month;

That is, there is a missing capital D from the December string. Because of this, any syslog message with the month of December in the date will trigger the error.

Edit: I built a filebeat binary on FreeBSD (had to get rid of some gosigar stuff that doesn't work on FreeBSD, HugeTLBPages) with the file patched. However, I am still getting the error message in my logs:

2018-12-02T09:12:16.988Z	ERROR	[syslog]	syslog/input.go:131	can't not parse event as syslog rfc3164	{"message": "Dec 02 09:12:16 freebsd-11-2 crontab[51480]: (root) BEGIN EDIT (root)"}

Any ideas, then, what might be causing this problem?

Metadata

Metadata

Assignees

Labels

FilebeatFilebeatbug

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions