Add timezone option to syslog input

elastic · Sep 3, 2021 · ffcfd85 · ffcfd85
1 parent c47f3c9
commit ffcfd85
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 11 deletions.
diff --git a/filebeat/docs/inputs/input-syslog.asciidoc b/filebeat/docs/inputs/input-syslog.asciidoc
@@ -7,7 +7,8 @@
 <titleabbrev>Syslog</titleabbrev>
 ++++
 
-The `syslog` input reads Syslog events as specified by RFC 3164 and RFC 5424, over TCP, UDP, or a Unix stream socket.
+The `syslog` input reads Syslog events as specified by RFC 3164 and RFC 5424,
+over TCP, UDP, or a Unix stream socket.
 
 Example configurations:
 
@@ -40,12 +41,21 @@ Example configurations:
 
 ==== Configuration options
 
-The `syslog` input configuration includes format, protocol specific options, and the
-<<{beatname_lc}-input-{type}-common-options>> described later.
+The `syslog` input configuration includes format, protocol specific options, and
+the <<{beatname_lc}-input-{type}-common-options>> described later.
 
 ===== `format`
 
-The syslog variant to use, `rfc3164` or `rfc5424`. To automatically detect the format from the log entries, set this option to `auto`. The default is `rfc3164`.
+The syslog variant to use, `rfc3164` or `rfc5424`. To automatically detect the
+format from the log entries, set this option to `auto`. The default is
+`rfc3164`.
+
+===== `timezone`
+
+IANA time zone name (e.g. `America/New_York`) or fixed time offset (e.g.
+`+0200`) to use when parsing syslog timestamps that do not contain a time zone.
+`Local` may be specified to use the machine's local time zone. Defaults to
+`Local`.
 
 ===== Protocol `udp`:
 

diff --git a/filebeat/input/syslog/config.go b/filebeat/input/syslog/config.go
@@ -30,13 +30,15 @@ import (
 	"github.com/elastic/beats/v7/filebeat/inputsource/udp"
 	"github.com/elastic/beats/v7/filebeat/inputsource/unix"
 	"github.com/elastic/beats/v7/libbeat/common"
+	"github.com/elastic/beats/v7/libbeat/common/cfgtype"
 	"github.com/elastic/beats/v7/libbeat/logp"
 )
 
 type config struct {
 	harvester.ForwarderConfig `config:",inline"`
 	Format                    syslogFormat           `config:"format"`
 	Protocol                  common.ConfigNamespace `config:"protocol"`
+	Timezone                  *cfgtype.Timezone      `config:"timezone"`
 }
 
 type syslogFormat int
@@ -59,7 +61,8 @@ var defaultConfig = config{
 	ForwarderConfig: harvester.ForwarderConfig{
 		Type: "syslog",
 	},
-	Format: syslogFormatRFC3164,
+	Format:   syslogFormatRFC3164,
+	Timezone: cfgtype.MustNewTimezone("Local"),
 }
 
 type syslogTCP struct {

diff --git a/filebeat/input/syslog/input.go b/filebeat/input/syslog/input.go
@@ -179,17 +179,17 @@ func GetCbByConfig(cfg config, forwarder *harvester.Forwarder, log *logp.Logger)
 
 	case syslogFormatRFC5424:
 		return func(data []byte, metadata inputsource.NetworkMetadata) {
-			ev := parseAndCreateEvent5424(data, metadata, time.Local, log)
+			ev := parseAndCreateEvent5424(data, metadata, cfg.Timezone.Location(), log)
 			forwarder.Send(ev)
 		}
 
 	case syslogFormatAuto:
 		return func(data []byte, metadata inputsource.NetworkMetadata) {
 			var ev beat.Event
 			if IsRFC5424Format(data) {
-				ev = parseAndCreateEvent5424(data, metadata, time.Local, log)
+				ev = parseAndCreateEvent5424(data, metadata, cfg.Timezone.Location(), log)
 			} else {
-				ev = parseAndCreateEvent3164(data, metadata, time.Local, log)
+				ev = parseAndCreateEvent3164(data, metadata, cfg.Timezone.Location(), log)
 			}
 			forwarder.Send(ev)
 		}
@@ -198,7 +198,7 @@ func GetCbByConfig(cfg config, forwarder *harvester.Forwarder, log *logp.Logger)
 	}
 
 	return func(data []byte, metadata inputsource.NetworkMetadata) {
-		ev := parseAndCreateEvent3164(data, metadata, time.Local, log)
+		ev := parseAndCreateEvent3164(data, metadata, cfg.Timezone.Location(), log)
 		forwarder.Send(ev)
 	}
 }
@@ -287,7 +287,7 @@ func parseAndCreateEvent3164(data []byte, metadata inputsource.NetworkMetadata,
 			"message": string(data),
 		})
 	}
-	return createEvent(ev, metadata, time.Local, log)
+	return createEvent(ev, metadata, timezone, log)
 }
 
 func parseAndCreateEvent5424(data []byte, metadata inputsource.NetworkMetadata, timezone *time.Location, log *logp.Logger) beat.Event {
@@ -299,7 +299,7 @@ func parseAndCreateEvent5424(data []byte, metadata inputsource.NetworkMetadata,
 			"message": string(data),
 		})
 	}
-	return createEvent(ev, metadata, time.Local, log)
+	return createEvent(ev, metadata, timezone, log)
 }
 
 func newBeatEvent(timestamp time.Time, metadata inputsource.NetworkMetadata, fields common.MapStr) beat.Event {