parser_syslog: Support RFC5424 timestamp without subseconds

lib/fluent/plugin/parser_syslog.rb

@@ -48,6 +48,8 @@ def configure(conf)
         super
 
         @time_parser_rfc3164 = @time_parser_rfc5424 = nil
+        @time_parser_rfc5424_without_subseconds = nil
+        @support_rfc5424_without_subseconds = false
         @regexp = case @message_format
                   when :rfc3164
                     class << self
@@ -59,6 +61,7 @@ class << self
                       alias_method :parse, :parse_plain
                     end
                     @time_format = @rfc5424_time_format unless conf.has_key?('time_format')
+                    @support_rfc5424_without_subseconds = true
                     @with_priority ? REGEXP_RFC5424_WITH_PRI : REGEXP_RFC5424
                   when :auto
                     class << self
@@ -69,6 +72,7 @@ class << self
                     nil
                   end
         @time_parser = time_parser_create
+        @time_parser_rfc5424_without_subseconds = time_parser_create(format: "%Y-%m-%dT%H:%M:%S%z")
       end
 
       def patterns
@@ -83,6 +87,7 @@ def parse_auto(text, &block)
         if REGEXP_DETECT_RFC5424.match(text)
           @regexp = @with_priority ? REGEXP_RFC5424_WITH_PRI : REGEXP_RFC5424
           @time_parser = @time_parser_rfc5424
+          @support_rfc5424_without_subseconds = true
         else
           @regexp = @with_priority ? REGEXP_WITH_PRI : REGEXP
           @time_parser = @time_parser_rfc3164
@@ -106,7 +111,19 @@ def parse_plain(text, &block)
             when "pri"
               record['pri'] = value.to_i
             when "time"
-              time = @mutex.synchronize { @time_parser.parse(value.squeeze(' ')) }
+              time = @mutex.synchronize do
+                time_str = value.squeeze(' ')
+                begin
+                  @time_parser.parse(time_str)
+                rescue Fluent::TimeParser::TimeParseError => e
+                  if @support_rfc5424_without_subseconds
+                    log.trace(e)
+                    @time_parser_rfc5424_without_subseconds.parse(time_str)
+                  else
+                    raise
+                  end
+                end
+              end
               record[name] = value if @keep_time_key
             else
               record[name] = value

test/plugin/test_parser_syslog.rb

@@ -232,6 +232,44 @@ def test_parse_with_rfc5424_empty_message
         assert_nil record["message"]
       end
     end
+
+    def test_parse_with_rfc5424_message_without_subseconds
+      @parser.configure(
+                        'message_format' => 'rfc5424',
+                        'with_priority' => true,
+                        )
+      text = '<16>1 2017-02-06T13:14:15Z 192.168.0.1 fluentd - - - Hi, from Fluentd!'
+      @parser.instance.parse(text) do |time, record|
+        assert_equal(event_time("2017-02-06T13:14:15Z", format: '%Y-%m-%dT%H:%M:%S%z'), time)
+        assert_equal "-", record["pid"]
+        assert_equal "-", record["msgid"]
+        assert_equal "-", record["extradata"]
+        assert_equal "Hi, from Fluentd!", record["message"]
+      end
+    end
+
+    def test_parse_with_rfc5424_message_both_timestamp
+      @parser.configure(
+                        'message_format' => 'rfc5424',
+                        'with_priority' => true,
+                        )
+      text = '<16>1 2017-02-06T13:14:15Z 192.168.0.1 fluentd - - - Hi, from Fluentd!'
+      @parser.instance.parse(text) do |time, record|
+        assert_equal(event_time("2017-02-06T13:14:15Z", format: '%Y-%m-%dT%H:%M:%S%z'), time)
+        assert_equal "-", record["pid"]
+        assert_equal "-", record["msgid"]
+        assert_equal "-", record["extradata"]
+        assert_equal "Hi, from Fluentd!", record["message"]
+      end
+      text = '<16>1 2017-02-06T13:14:15.003Z 192.168.0.1 fluentd - - - Hi, from Fluentd with subseconds!'
+      @parser.instance.parse(text) do |time, record|
+        assert_equal(event_time("2017-02-06T13:14:15.003Z", format: '%Y-%m-%dT%H:%M:%S.%L%z'), time)
+        assert_equal "-", record["pid"]
+        assert_equal "-", record["msgid"]
+        assert_equal "-", record["extradata"]
+        assert_equal "Hi, from Fluentd with subseconds!", record["message"]
+      end
+    end
   end
 
   class TestAutoRegexp < self
@@ -387,6 +425,17 @@ def test_parse_with_both_message_type_and_priority
       end
       assert_equal(Fluent::Plugin::SyslogParser::REGEXP_RFC5424_WITH_PRI,
                    @parser.instance.patterns['format'])
+
+      text = '<16>1 2017-02-06T13:14:15Z 192.168.0.1 fluentd - - - Hi, from Fluentd without subseconds!'
+      @parser.instance.parse(text) do |time, record|
+        assert_equal(event_time("2017-02-06T13:14:15Z", format: '%Y-%m-%dT%H:%M:%S%z'), time)
+        assert_equal "-", record["pid"]
+        assert_equal "-", record["msgid"]
+        assert_equal "-", record["extradata"]
+        assert_equal "Hi, from Fluentd without subseconds!", record["message"]
+      end
+      assert_equal(Fluent::Plugin::SyslogParser::REGEXP_RFC5424_WITH_PRI,
+                   @parser.instance.patterns['format'])
     end
   end
 end