[libbeat] Fix parsing of RFC 3164 process IDs in syslog processor (#3…

…8982) - The pattern for parsing process IDs was too relaxed and would match everything between the first opening and the last closing square bracket in a message. If the message included multiple closing square brackets, the process ID would be set to not only the process ID, but also whatever leads up to the last closing square bracket. - The pattern has now been locked down to only digits. - Added test case.
elastic · Apr 22, 2024 · 8e9a276 · 8e9a276
1 parent 8f8f313
commit 8e9a276
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 56 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -91,6 +91,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Change cache processor documentation from `write_period` to `write_interval`. {pull}38561[38561]
 - Fix cache processor expiries heap cleanup on partial file writes. {pull}38561[38561]
 - Fix cache processor expiries infinite growth when large a large TTL is used and recurring keys are cached. {pull}38561[38561]
+- Fix parsing of RFC 3164 process IDs in syslog processor. {issue}38947[38947] {pull}38982[38982]
 
 *Auditbeat*
 - Set field types to correctly match ECS in sessionmd processor {issue}38955[38955] {pull}38994[38994]

diff --git a/libbeat/reader/syslog/parser/rfc3164.rl b/libbeat/reader/syslog/parser/rfc3164.rl
@@ -16,7 +16,7 @@
     hostname  = graph+ >tok %set_hostname;
 
     tag           = (print -- [ :\[])+ >tok %set_tag;
-    content_value = print+ >tok %set_content;
+    content_value = digit+ >tok %set_content;
     content       = '[' content_value ']';
     msg           = (tag content? ':' sp)? any+ >tok %set_msg;
 }%%
diff --git a/libbeat/reader/syslog/rfc3164_gen.go b/libbeat/reader/syslog/rfc3164_gen.go
diff --git a/libbeat/reader/syslog/rfc3164_test.go b/libbeat/reader/syslog/rfc3164_test.go
@@ -88,6 +88,19 @@ func TestParseRFC3164(t *testing.T) {
 				msg:       "message",
 			},
 		},
+		"ok-procid-with-square-brackets-msg": {
+			in: "<114>Apr 12 13:30:01 aaaaaa001.adm.domain aaaaaa001[25259]: my.some.domain 10.11.12.13 - USERNAME [12/Apr/2024:13:29:59.993 +0200] /skodas \"GET /skodas/group/pod-documentation/aaa HTTP/1.1\" 301 301 290bytes 1 10327",
+			want: message{
+				timestamp: mustParseTime(time.Stamp, "Apr 12 13:30:01", time.Local),
+				priority:  114,
+				facility:  14,
+				severity:  2,
+				hostname:  "aaaaaa001.adm.domain",
+				process:   "aaaaaa001",
+				pid:       "25259",
+				msg:       "my.some.domain 10.11.12.13 - USERNAME [12/Apr/2024:13:29:59.993 +0200] /skodas \"GET /skodas/group/pod-documentation/aaa HTTP/1.1\" 301 301 290bytes 1 10327",
+			},
+		},
 		"err-pri-not-a-number": {
 			in: "<abc>Oct 11 22:14:15 test-host this is the message",
 			want: message{