`parse_syslog` incorrectly adds the previous year for RFC3464 timestamps when close to the new year and the system timezone is not UTC

vectordotdev / vrl

Vector Remap Language

Mozilla Public License 2.0

123 stars 56 forks source link

[sources.message_log] type = "file" include = ["/var/log/messages"] start_at_beginning = true [transforms.modify_message_log] type = "remap" inputs = [ "message_log" ] source = ''' . = parse_syslog!(.message) ''' [sinks.console] type = "console" inputs = ["modify_message_log"] encoding.codec = "json"

The year is inferred using the current time in UTC, and the month as parsed from the log message (without any conversion).

This seems to be where the problems occur. The message's month could be different in UTC if the message is in a different timezone. The code is shared between Vector and a dependency syslog_loose.

syslog_loose takes a resolve_year closure, runs it and builds a datetime with the result, and then converts the built datetime using an optional offset.
Vector defines and passes in the resolve_year closure.
worth noting that the IncompleteDate passed to resolve year is not translated to or from any timezone. I.e. a month is read from a str, and then that produces a year somehow, with zero knowledge of what timezone the message time is in.

I don't understand what's gone wrong exactly and how it managed to end up with 2022, but I think it's likely to be in this resolve_year and syslog_loose interaction.

Timezones are hard.

vectordotdev / vrl

`parse_syslog` incorrectly adds the previous year for RFC3464 timestamps when close to the new year and the system timezone is not UTC #641

A note for the community

Problem

Configuration

Version

Debug Output

Example Data

Additional Context

References