Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

syslog parser regexp is not working when message contains ] character #2068

Closed
rainoko opened this issue Jul 12, 2018 · 2 comments
Closed

syslog parser regexp is not working when message contains ] character #2068

rainoko opened this issue Jul 12, 2018 · 2 comments

Comments

@rainoko
Copy link

rainoko commented Jul 12, 2018

  • fluentd or td-agent version - v1.2.3 but exists in ealier versions also

fluentd/lib/fluent/plugin/parser_syslog.rb

Line 30 in 815e513

REGEXP_RFC5424 = /\A^(?<time>[^ ]+) (?<host>[^ ]+) (?<ident>[^ ]+) (?<pid>.{1,128}) (?<msgid>[^ ]+) (?<extradata>(\[(.*)\]|[^ ])) (?<message>.+)$\z/

  1. regular expressions extradata part is little-bit too greedy. If message contains ] part of message is considered as extradata.
  2. regular expression not accept empty message - causing parse error logs.
  3. Pid is too greedy

Should be something like that

\A^\<(?<pri>[0-9]{1,3})\>[1-9]\d{0,2} (?<time>[^ ]+) (?<host>[^ ]+) (?<ident>[^ ]+) (?<pid>[^ ]+) (?<msgid>[^ ]+) (?<extradata>(\[([^\]]*)\]|[^ ])).?(?<message>.*)$\z

(?<pid>.{1,128})   -> (?<pid>[^ ]+)   pid should be anything until next space
(?<extradata>(\[(.*)\]|[^ ]))  ->  (?<extradata>(\[([^\]]*)\]|[^ ])) extradata may not contain ]
(?<message>.+)  ->  .?(?<message>.*) message should be optional
@okkez
Copy link
Contributor

okkez commented Sep 25, 2018

Could you show me the failed logs?

okkez added a commit to okkez/fluentd that referenced this issue Sep 26, 2018
@okkez
Add test cases according to fluent#2068
4e4b3e5 
Signed-off-by: Kenji Okimoto <okimoto@clear-code.com>
okkez added a commit to okkez/fluentd that referenced this issue Sep 26, 2018
@okkez
Fix regexp for RFC5424 to parse message includes PID properly
0b5a3b0 
In previous version, pid field is too greedy.

See also https://tools.ietf.org/html/rfc5424#section-6 and fluent#2068

Signed-off-by: Kenji Okimoto <okimoto@clear-code.com>
@okkez okkez mentioned this issue Sep 26, 2018
Merged
@okkez
Copy link
Contributor

okkez commented Dec 21, 2018

No response. Closing.
Feel free to reopen this issue or create a new issue, if you find a problem related to this issue.

@okkez okkez closed this as completed Dec 21, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@okkez @rainoko