Merge pull request #2599 from fluent/add-new-parser-to-syslog

Implement new parser for parser_syslog
fluent · Sep 9, 2019 · 1e4e0c1 · 1e4e0c1
2 parents aa54583 + 60c838f
commit 1e4e0c1
Show file tree

Hide file tree

Showing 2 changed files with 224 additions and 22 deletions.
diff --git a/lib/fluent/plugin/parser_syslog.rb b/lib/fluent/plugin/parser_syslog.rb
@@ -38,6 +38,10 @@ class SyslogParser < Parser
       config_param :message_format, :enum, list: [:rfc3164, :rfc5424, :auto], default: :rfc3164
       desc 'Specify time format for event time for rfc5424 protocol'
       config_param :rfc5424_time_format, :string, default: "%Y-%m-%dT%H:%M:%S.%L%z"
+      desc 'The parser type used to parse syslog message'
+      config_param :parser_type, :enum, list: [:regexp, :string], default: :regexp
+      desc 'support colonless ident in string parser'
+      config_param :support_colonless_ident, :bool, default: true
 
       def initialize
         super
@@ -50,10 +54,17 @@ def configure(conf)
         @time_parser_rfc3164 = @time_parser_rfc5424 = nil
         @time_parser_rfc5424_without_subseconds = nil
         @support_rfc5424_without_subseconds = false
+        @regexp_parser = @parser_type == :regexp
         @regexp = case @message_format
                   when :rfc3164
-                    class << self
-                      alias_method :parse, :parse_plain
+                    if @regexp_parser
+                      class << self
+                        alias_method :parse, :parse_plain
+                      end
+                    else
+                      class << self
+                        alias_method :parse, :parse_rfc3164
+                      end
                     end
                     @with_priority ? REGEXP_WITH_PRI : REGEXP
                   when :rfc5424
@@ -88,11 +99,16 @@ def parse_auto(text, &block)
           @regexp = @with_priority ? REGEXP_RFC5424_WITH_PRI : REGEXP_RFC5424
           @time_parser = @time_parser_rfc5424
           @support_rfc5424_without_subseconds = true
+          parse_plain(text, &block)
         else
           @regexp = @with_priority ? REGEXP_WITH_PRI : REGEXP
           @time_parser = @time_parser_rfc3164
+          if @regexp_parser
+            parse_plain(text, &block)
+          else
+            parse_rfc3164(text, &block)
+          end
         end
-        parse_plain(text, &block)
       end
 
       def parse_plain(text, &block)
@@ -137,6 +153,93 @@ def parse_plain(text, &block)
 
         yield time, record
       end
+
+      SPLIT_CHAR = ' '.freeze
+
+      def parse_rfc3164(text, &block)
+        pri = nil
+        cursor = 0
+        if @with_priority
+          if text.start_with?('<'.freeze)
+            i = text.index('>'.freeze, 1)
+            if i < 2
+              yield nil, nil
+              return
+            end
+            pri = text.slice(1, i - 1).to_i
+            cursor = i + 1
+          else
+            yield nil, nil
+            return
+          end
+        end
+
+        # header part
+        time_size = 15 # skip Mmm dd hh:mm:ss
+        time_end = text[cursor + time_size]
+        if time_end == SPLIT_CHAR
+          time_str = text.slice(cursor, time_size)
+          cursor += 16 # time + ' '
+        elsif time_end == '.'.freeze
+          # support subsecond time
+          i = text.index(SPLIT_CHAR, time_size)
+          time_str = text.slice(cursor, i - cursor)
+          cursor = i + 1
+        else
+          yield nil, nil
+          return
+        end
+
+        i = text.index(SPLIT_CHAR, cursor)
+        if i.nil?
+          yield nil, nil
+          return
+        end
+        host_size = i - cursor
+        host = text.slice(cursor, host_size)
+        cursor += host_size + 1
+
+        record = {'host' => host}
+        record['pri'] = pri if pri
+
+        i = text.index(SPLIT_CHAR, cursor)
+
+        # message part
+        msg = if i.nil?  # for 'only non-space content case'
+                text.slice(cursor, text.bytesize)
+              else
+                if text[i - 1] == ':'.freeze
+                  if text[i - 2] == ']'.freeze
+                    left_braket_pos = text.index('['.freeze, cursor)
+                    record['ident'] = text.slice(cursor, left_braket_pos - cursor)
+                    record['pid'] = text.slice(left_braket_pos + 1, i - left_braket_pos - 3) # remove '[' / ']:'
+                  else
+                    record['ident'] = text.slice(cursor, i - cursor - 1)
+                  end
+                  text.slice(i + 1, text.bytesize)
+                else
+                  if @support_colonless_ident
+                    if text[i - 1] == ']'.freeze
+                      left_braket_pos = text.index('['.freeze, cursor)
+                      record['ident'] = text.slice(cursor, left_braket_pos - cursor)
+                      record['pid'] = text.slice(left_braket_pos + 1, i - left_braket_pos - 2) # remove '[' / ']'
+                    else
+                      record['ident'] = text.slice(cursor, i - cursor)
+                    end
+                    text.slice(i + 1, text.bytesize)
+                  else
+                    text.slice(cursor, text.bytesize)
+                  end
+                end
+              end
+        msg.chomp!
+        record['message'] = msg
+
+        time = @time_parser.parse(time_str)
+        record['time'] = time_str if @keep_time_key
+
+        yield time, record
+      end
     end
   end
 end