Closing elastic#16824

SHolzhauer · Apr 28, 2020 · eff8bed · eff8bed
1 parent 41b9f86
commit eff8bed
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
@@ -20,6 +20,7 @@ https://github.com/elastic/beats/compare/v7.5.0...v7.5.1[View commits]
 - Change iis url path grok pattern from URIPATH to NOTSPACE. {issue}12710[12710] {pull}13225[13225] {issue}7951[7951] {pull}13378[13378] {pull}14754[14754]
 - Fix azure filesets test files. {issue}14185[14185] {pull}14235[14235]
 - Update Logstash module's Grok patterns to support Logstash 7.4 logs. {pull}14743[14743]
+- Allow for leading 0 in syslog day format as per {issue}16824[16824]
 
 *Metricbeat*
 

diff --git a/filebeat/input/syslog/syslog_rfc3164.rl b/filebeat/input/syslog/syslog_rfc3164.rl
@@ -19,7 +19,9 @@
   # Match: " 5" and "10" as the day
   multiple_digits_day = (([12][0-9]) | ("3"[01]))>tok %day;
   single_digit_day = [1-9]>tok %day;
-  day = (space? single_digit_day | multiple_digits_day);
+  # Support 'Aug 07' format for misinterpretations of rfc
+  supported_multiple_digits_day = [0][0-9]>tok %day;
+  day = (space? single_digit_day | multiple_digits_day | supported_multiple_digits_day);
 
   # Match: hh:mm:ss (24 hr format)
   hour = ([01][0-9]|"2"[0-3])>tok %hour;