Merge pull request #2816 from BananaWanted/master

fix for RFC5424 parsing
fluent · Feb 12, 2020 · dcc42b6 · dcc42b6
2 parents 1b3a8be + bb5431d
commit dcc42b6
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 10 deletions.
diff --git a/lib/fluent/plugin/parser_syslog.rb b/lib/fluent/plugin/parser_syslog.rb
@@ -27,8 +27,15 @@ class SyslogParser < Parser
       REGEXP = /^(?<time>[^ ]*\s*[^ ]* [^ ]*) (?<host>[^ ]*) (?<ident>[^ :\[]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$/
       # From in_syslog default pattern
       REGEXP_WITH_PRI = /^\<(?<pri>[0-9]+)\>(?<time>[^ ]* {1,2}[^ ]* [^ ]*) (?<host>[^ ]*) (?<ident>[^ :\[]*)(?:\[(?<pid>[0-9]+)\])?(?:[^\:]*\:)? *(?<message>.*)$/
-      REGEXP_RFC5424 = /\A(?<time>[^ ]+) (?<host>[!-~]{1,255}) (?<ident>[!-~]{1,48}) (?<pid>[!-~]{1,128}) (?<msgid>[!-~]{1,32}) (?<extradata>(?:\-|\[(.*)\]))(?: (?<message>.+))?\z/m
-      REGEXP_RFC5424_WITH_PRI = /\A\<(?<pri>[0-9]{1,3})\>[1-9]\d{0,2} (?<time>[^ ]+) (?<host>[!-~]{1,255}) (?<ident>[!-~]{1,48}) (?<pid>[!-~]{1,128}) (?<msgid>[!-~]{1,32}) (?<extradata>(?:\-|\[(.*)\]))(?: (?<message>.+))?\z/m
+      REGEXP_RFC5424 = <<~'EOS'.chomp
+        (?<time>[^ ]+) (?<host>[!-~]{1,255}) (?<ident>[!-~]{1,48}) (?<pid>[!-~]{1,128}) (?<msgid>[!-~]{1,32}) (?<extradata>(?:\-|(?:\[.*?(?<!\\)\])+))(?: (?<message>.+))?
+      EOS
+      REGEXP_RFC5424_NO_PRI = Regexp.new(<<~'EOS'.chomp % REGEXP_RFC5424, Regexp::MULTILINE)
+        \A%s\z
+      EOS
+      REGEXP_RFC5424_WITH_PRI = Regexp.new(<<~'EOS'.chomp % REGEXP_RFC5424, Regexp::MULTILINE)
+        \A<(?<pri>[0-9]{1,3})\>[1-9]\d{0,2} %s\z
+      EOS
       REGEXP_DETECT_RFC5424 = /^\<.*\>[1-9]\d{0,2}/
 
       config_set_default :time_format, "%b %d %H:%M:%S"
@@ -73,7 +80,7 @@ class << self
                     end
                     @time_format = @rfc5424_time_format unless conf.has_key?('time_format')
                     @support_rfc5424_without_subseconds = true
-                    @with_priority ? REGEXP_RFC5424_WITH_PRI : REGEXP_RFC5424
+                    @with_priority ? REGEXP_RFC5424_WITH_PRI : REGEXP_RFC5424_NO_PRI
                   when :auto
                     class << self
                       alias_method :parse, :parse_auto
@@ -96,7 +103,7 @@ def parse(text)
 
       def parse_auto(text, &block)
         if REGEXP_DETECT_RFC5424.match(text)
-          @regexp = @with_priority ? REGEXP_RFC5424_WITH_PRI : REGEXP_RFC5424
+          @regexp = @with_priority ? REGEXP_RFC5424_WITH_PRI : REGEXP_RFC5424_NO_PRI
           @time_parser = @time_parser_rfc5424
           @support_rfc5424_without_subseconds = true
           parse_plain(text, &block)

diff --git a/test/plugin/test_parser_syslog.rb b/test/plugin/test_parser_syslog.rb
@@ -237,7 +237,7 @@ def test_parse_with_rfc5424_message_and_without_priority
         assert_equal "-", record["extradata"]
         assert_equal "Hi, from Fluentd!", record["message"]
       end
-      assert_equal(Fluent::Plugin::SyslogParser::REGEXP_RFC5424,
+      assert_equal(Fluent::Plugin::SyslogParser::REGEXP_RFC5424_NO_PRI,
                    @parser.instance.patterns['format'])
     end
 
@@ -254,7 +254,7 @@ def test_parse_with_rfc5424_empty_message_and_without_priority
         assert_equal "-", record["extradata"]
         assert_nil record["message"]
       end
-      assert_equal(Fluent::Plugin::SyslogParser::REGEXP_RFC5424,
+      assert_equal(Fluent::Plugin::SyslogParser::REGEXP_RFC5424_NO_PRI,
                    @parser.instance.patterns['format'])
     end
 
@@ -294,14 +294,14 @@ def test_parse_with_rfc5424_structured_message
                         'message_format' => 'rfc5424',
                         'with_priority' => true,
                         )
-      text = '<16>1 2017-02-06T13:14:15.003Z 192.168.0.1 fluentd 11111 ID24224 [exampleSDID@20224 iut="3" eventSource="Application" eventID="11211"] Hi, from Fluentd!'
+      text = '<16>1 2017-02-06T13:14:15.003Z 192.168.0.1 fluentd 11111 ID24224 [exampleSDID@20224 iut="3" eventSource="Application" eventID="11211"] [Hi] from Fluentd!'
       @parser.instance.parse(text) do |time, record|
         assert_equal(event_time("2017-02-06T13:14:15.003Z", format: '%Y-%m-%dT%H:%M:%S.%L%z'), time)
         assert_equal "11111", record["pid"]
         assert_equal "ID24224", record["msgid"]
         assert_equal "[exampleSDID@20224 iut=\"3\" eventSource=\"Application\" eventID=\"11211\"]",
                      record["extradata"]
-        assert_equal "Hi, from Fluentd!", record["message"]
+        assert_equal "[Hi] from Fluentd!", record["message"]
       end
     end
 
@@ -328,14 +328,14 @@ def test_parse_with_rfc5424_message_includes_right_bracket
                         'message_format' => 'rfc5424',
                         'with_priority' => true,
                         )
-      text = '<16>1 2017-02-06T13:14:15.003Z 192.168.0.1 fluentd 11111 ID24224 [exampleSDID@20224 iut="3" eventSource="Application" eventID="11211"] Hi, from Fluentd]!'
+      text = '<16>1 2017-02-06T13:14:15.003Z 192.168.0.1 fluentd 11111 ID24224 [exampleSDID@20224 iut="3" eventSource="Application" eventID="11211"] [Hi] from Fluentd]!'
       @parser.instance.parse(text) do |time, record|
         assert_equal(event_time("2017-02-06T13:14:15.003Z", format: '%Y-%m-%dT%H:%M:%S.%L%z'), time)
         assert_equal "11111", record["pid"]
         assert_equal "ID24224", record["msgid"]
         assert_equal "[exampleSDID@20224 iut=\"3\" eventSource=\"Application\" eventID=\"11211\"]",
                      record["extradata"]
-        assert_equal "Hi, from Fluentd]!", record["message"]
+        assert_equal "[Hi] from Fluentd]!", record["message"]
       end
     end