Skip to content

Commit

Permalink
[syslog] Fix handling of escaped characters in structured data (#40446)
Browse files Browse the repository at this point in the history
- Improved parser to handle escaped closing square brackets in structured data, along
with square brackets in the normal, non-structured data portion of the message.
- Fix incorrect offset being passed to removeBytes function, which would not remove
escaped characters from structured data values.
- The non-compliant-sd unit test cases now include escapes on the closing brackets
within the structured data, something that should have always been there.
- Add tests
  • Loading branch information
taylor-swanson authored Aug 8, 2024
1 parent 5087dd4 commit 1c01d0e
Show file tree
Hide file tree
Showing 5 changed files with 159 additions and 135 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
- Fix parsing of RFC 3164 process IDs in syslog processor. {issue}38947[38947] {pull}38982[38982]
- Rename the field "apache2.module.error" to "apache.module.error" in Apache error visualization. {issue}39480[39480] {pull}39481[39481]
- Validate config of the `replace` processor {pull}40047[40047]
- Fix handling of escaped brackets in syslog structured data. {issue}40445[40445] {pull}40446[40446]

*Auditbeat*

Expand Down
14 changes: 14 additions & 0 deletions libbeat/reader/syslog/message_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -522,6 +522,20 @@ func TestParseStructuredData(t *testing.T) {
},
},
},
"multi-key-with-escape": {
in: `[exampleSDID@32473 iut="3" eventSource="Application" eventID="1011" somekey="[value\] more data"][examplePriority@32473 class="high"]`,
want: map[string]interface{}{
"exampleSDID@32473": map[string]interface{}{
"iut": "3",
"eventSource": "Application",
"eventID": "1011",
"somekey": "[value] more data",
},
"examplePriority@32473": map[string]interface{}{
"class": "high",
},
},
},
"repeated-id": {
in: `[exampleSDID@32473 iut="3"][exampleSDID@32473 class="high"]`,
want: map[string]interface{}{
Expand Down
6 changes: 4 additions & 2 deletions libbeat/reader/syslog/parser/rfc5424.rl
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@

action set_param_value {
if subMap, ok := structuredData[s.sdID].(map[string]interface{}); ok {
subMap[s.sdParamName] = removeBytes(data[tok:p], s.sdValueEscapes, p)
subMap[s.sdParamName] = removeBytes(data[tok:p], s.sdValueEscapes, tok)
}
}

Expand Down Expand Up @@ -73,7 +73,9 @@

header = priority version sp timestamp sp hostname sp app_name sp proc_id sp msg_id;

sd_raw = nil_value | ('[' any+ ']') >tok %set_sd_raw;
sd_raw_escape = (bs | ']');
sd_raw_values = ((bs ']') | (any - sd_raw_escape));
sd_raw = nil_value | ('[' sd_raw_values+ ']')+ >tok %set_sd_raw;

msg = any* >tok %set_msg;
}%%
Loading

0 comments on commit 1c01d0e

Please sign in to comment.