Cannot parse syslog messages with empty timestamp

chatziko commented 1 month ago

A note for the community

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Problem

RFC 5424 seems allow the use of the NILVALUE "-" in place of a timestamp. In fact applications must use it if they don't have access to a clock.

A syslog application MUST use the NILVALUE as TIMESTAMP if the syslog application is incapable of obtaining system time.

However parse_syslog does not accept an empty timestamp, as can be seen in the VRL playground:

# This falis
.a = parse_syslog!(
    s'<7>1 - foo bar - - - message'
)

# This succeeds
.a = parse_syslog!(
    s'<7>1 2020-03-13T20:45:38.119Z foo bar - - - message'
)

Configuration

sources:
  syslog:
    type: syslog
    address: 0.0.0.0:514
    mode: udp

Version

vector 0.41.1 (x86_64-unknown-linux-gnu 745babd 2024-09-11 14:55:36.802851761)

Debug Output

2024-09-25T12:21:55.927638Z ERROR source{component_kind="source" component_id=syslog component_type=syslog}: vector::internal_events::socket: Error receiving data. error=ParsingError(unable to parse input as valid syslog message) error_code="socket_receive" error_type="reader_failed" stage="receiving" mode=udp internal_log_rate_limit=true

Example Data

<7>1 - foo bar - - - message ### Additional Context _No response_ ### References _No response_

jszwedko commented 1 month ago

Thanks for this report @chatziko ! I think you meant to link to this part of the RFC.

chatziko commented 1 month ago

Thanks for this report @chatziko ! I think you meant to link to this part of the RFC.

Fixed, thanks for the quick response.

vectordotdev / vector