Skip to content

Commit

Permalink
Fix rfc5464 date parsing in the syslog input (#26419) (#26453)
Browse files Browse the repository at this point in the history
(cherry picked from commit 0ae157e)

Co-authored-by: Fae Charlton <fae.charlton@elastic.co>
  • Loading branch information
mergify[bot] and faec authored Jun 24, 2021
1 parent d93e9bd commit 8fe3d21
Show file tree
Hide file tree
Showing 5 changed files with 204 additions and 150 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -217,6 +217,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Fix default config template values for paths on oracle module: {pull}26276[26276]
- Fix bug in aws-s3 input where the end of gzipped log files might have been discarded. {pull}26260[26260]
- Fix bug in `httpjson` that prevented `first_event` getting updated. {pull}26407[26407]
- Fix bug in the Syslog input that misparsed rfc5424 days starting with 0. {pull}26419[26419]

*Filebeat*

Expand Down
2 changes: 1 addition & 1 deletion filebeat/input/syslog/event.go
Original file line number Diff line number Diff line change
Expand Up @@ -417,7 +417,7 @@ func bytesToInt(b []byte) int {

func skipLeadZero(b []byte) []byte {
if len(b) > 1 && b[0] == '0' {
return b[1:len(b)]
return b[1:]
}
return b
}
2 changes: 1 addition & 1 deletion filebeat/input/syslog/parser/syslog_rfc5424.rl
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
# timestamp
DATE_FULLYEAR = digit{4}>tok %year;
DATE_MONTH = (("0"[1-9]) | ("1"[0-2]))>tok %month_numeric;
DATE_MDAY = (([12][0-9]) | ("3"[01]))>tok %day;
DATE_MDAY = (("0"[1-9]) | ([12][0-9]) | ("3"[01]))>tok %day;
FULL_DATE = DATE_FULLYEAR "-" DATE_MONTH "-" DATE_MDAY;

TIME_HOUR = ([01][0-9] | "2"[0-3])>tok %hour;
Expand Down
Loading

0 comments on commit 8fe3d21

Please sign in to comment.