Blazing fast syslog parser

This PR finally implements RFC3164 parsing! 😃

It fixes #15 when merged in.

Notice it changes the syslog.Message interface and it introduces a syslog.Base struct containing the common fields between the two Syslog formats.

This means I'll need to release another major (v3) when completed 100% (see below).

Missing pieces at the moment:

• [ ] extensive test suite
• [x] option/mechanism to let the user choose the year of the timestamp
• [x] best-effort mode
• [x] option to choose the year for STAMP timestamps (WithYear() with strategies like CurrentYear{}, Year{YYYY:2020} etc.)
• [x] option to choose the time zone for STAMP timestamps (WithTimezone())
• [x] option to let the parser ALSO match RFC3339 timestamps (WithRFC3339())
• [x] examples
• [x] update README with examples referring to the new interfaces (#26)

• Relaxes the default parser to accept any encoding in the MSG part of the message.
• Adds an option WithCompliantMsg() to enforce a compliant MSG as defined by https://tools.ietf.org/html/rfc5424#section-6.4.

MSG             = MSG-ANY / MSG-UTF8
MSG-ANY         = *OCTET ; not starting with BOM
MSG-UTF8        = BOM UTF-8-STRING

Usage

message, err := rfc5424.NewMachine(rfc5424.WithCompliantMsg()).Parse(subject)

Performance

Initialization of machine moved out of benchmark for all comparisons.

develop...allow-non-utf8

name                                                        old time/op  new time/op  delta
Parse/[no]_empty_input__________________________________-8   409ns ± 1%   408ns ± 1%     ~     (p=0.416 n=10+10)
Parse/[no]_multiple_syslog_messages_on_multiple_lines___-8   494ns ± 0%   509ns ± 1%   +2.97%  (p=0.000 n=10+10)
Parse/[no]_impossible_timestamp_________________________-8  1.47µs ± 0%  1.48µs ± 1%   +0.82%  (p=0.000 n=10+9)
Parse/[no]_malformed_structured_data____________________-8   681ns ± 0%   707ns ± 3%   +3.90%  (p=0.000 n=9+10)
Parse/[no]_with_duplicated_structured_data_id___________-8  1.92µs ± 1%  1.99µs ± 1%   +3.38%  (p=0.000 n=10+9)
Parse/[ok]_minimal______________________________________-8   254ns ± 0%   263ns ± 1%   +3.43%  (p=0.000 n=7+10)
Parse/[ok]_average_message______________________________-8  2.67µs ± 1%  2.64µs ± 2%     ~     (p=0.271 n=10+10)
Parse/[ok]_complicated_message__________________________-8  2.12µs ± 0%  2.09µs ± 0%   -1.60%  (p=0.000 n=10+8)
Parse/[ok]_very_long_message____________________________-8  5.16µs ± 1%  4.60µs ± 0%  -10.89%  (p=0.000 n=10+8)
Parse/[ok]_all_max_length_and_complete__________________-8  5.14µs ± 1%  5.16µs ± 2%     ~     (p=0.645 n=10+10)
Parse/[ok]_all_max_length_except_structured_data_and_mes-8  3.73µs ± 0%  3.72µs ± 1%   -0.33%  (p=0.023 n=10+10)
Parse/[ok]_minimal_with_message_containing_newline______-8   287ns ± 1%   283ns ± 0%   -1.43%  (p=0.000 n=10+7)
Parse/[ok]_w/o_procid,_w/o_structured_data,_with_message-8  1.06µs ± 1%  1.02µs ± 1%   -3.66%  (p=0.000 n=8+10)
Parse/[ok]_minimal_with_UTF-8_message___________________-8   524ns ± 1%   523ns ± 0%     ~     (p=0.850 n=10+9)
Parse/[ok]_minimal_with_UTF-8_message_starting_with_BOM_-8   532ns ± 1%   526ns ± 0%   -1.27%  (p=0.000 n=10+9)
Parse/[ok]_with_structured_data_id,_w/o_structured_data_-8  1.08µs ± 0%  1.08µs ± 1%   +0.88%  (p=0.000 n=9+10)
Parse/[ok]_with_multiple_structured_data________________-8  1.77µs ± 0%  1.71µs ± 1%   -3.63%  (p=0.000 n=10+10)
Parse/[ok]_with_escaped_backslash_within_structured_data-8  1.61µs ± 1%  1.60µs ± 0%   -1.03%  (p=0.000 n=10+9)
Parse/[ok]_with_UTF-8_structured_data_param_value,_with_-8  1.86µs ± 0%  1.79µs ± 0%   -3.39%  (p=0.000 n=10+10)

develop...allow-non-utf8.WithCompliantMsg

name                                                        old time/op  new time/op  delta
Parse/[no]_empty_input__________________________________-8   409ns ± 1%   411ns ± 1%     ~     (p=0.124 n=10+10)
Parse/[no]_multiple_syslog_messages_on_multiple_lines___-8   494ns ± 0%   511ns ± 0%   +3.38%  (p=0.000 n=10+10)
Parse/[no]_impossible_timestamp_________________________-8  1.47µs ± 0%  1.49µs ± 1%   +1.59%  (p=0.000 n=10+10)
Parse/[no]_malformed_structured_data____________________-8   681ns ± 0%   689ns ± 0%   +1.19%  (p=0.000 n=9+9)
Parse/[no]_with_duplicated_structured_data_id___________-8  1.92µs ± 1%  1.91µs ± 0%   -0.43%  (p=0.005 n=10+10)
Parse/[ok]_minimal______________________________________-8   254ns ± 0%   254ns ± 0%     ~     (p=0.103 n=7+10)
Parse/[ok]_average_message______________________________-8  2.67µs ± 1%  2.62µs ± 0%   -1.72%  (p=0.000 n=10+9)
Parse/[ok]_complicated_message__________________________-8  2.12µs ± 0%  2.08µs ± 0%   -1.76%  (p=0.000 n=10+10)
Parse/[ok]_very_long_message____________________________-8  5.16µs ± 1%  4.56µs ± 0%  -11.66%  (p=0.000 n=10+10)
Parse/[ok]_all_max_length_and_complete__________________-8  5.14µs ± 1%  5.11µs ± 0%   -0.42%  (p=0.009 n=10+10)
Parse/[ok]_all_max_length_except_structured_data_and_mes-8  3.73µs ± 0%  3.74µs ± 1%     ~     (p=0.492 n=10+10)
Parse/[ok]_minimal_with_message_containing_newline______-8   287ns ± 1%   283ns ± 0%   -1.32%  (p=0.000 n=10+10)
Parse/[ok]_w/o_procid,_w/o_structured_data,_with_message-8  1.06µs ± 1%  1.07µs ± 1%   +0.94%  (p=0.001 n=8+9)
Parse/[ok]_minimal_with_UTF-8_message___________________-8   524ns ± 1%   523ns ± 1%     ~     (p=0.597 n=10+10)
Parse/[ok]_minimal_with_UTF-8_message_starting_with_BOM_-8   532ns ± 1%   531ns ± 0%     ~     (p=0.693 n=10+8)
Parse/[ok]_with_structured_data_id,_w/o_structured_data_-8  1.08µs ± 0%  1.08µs ± 0%   +0.81%  (p=0.000 n=9+10)
Parse/[ok]_with_multiple_structured_data________________-8  1.77µs ± 0%  1.71µs ± 0%   -3.44%  (p=0.000 n=10+10)
Parse/[ok]_with_escaped_backslash_within_structured_data-8  1.61µs ± 1%  1.61µs ± 1%     ~     (p=0.926 n=10+10)
Parse/[ok]_with_UTF-8_structured_data_param_value,_with_-8  1.86µs ± 0%  1.80µs ± 1%   -2.95%  (p=0.000 n=10+9)

allow-non-utf8...allow-non-utf8.WithCompliantMsg

name                                                        old time/op  new time/op  delta
Parse/[no]_empty_input__________________________________-8   408ns ± 1%   411ns ± 1%  +0.66%  (p=0.022 n=10+10)
Parse/[no]_multiple_syslog_messages_on_multiple_lines___-8   509ns ± 1%   511ns ± 0%  +0.39%  (p=0.017 n=10+10)
Parse/[no]_impossible_timestamp_________________________-8  1.48µs ± 1%  1.49µs ± 1%  +0.77%  (p=0.006 n=9+10)
Parse/[no]_malformed_structured_data____________________-8   707ns ± 3%   689ns ± 0%  -2.61%  (p=0.002 n=10+9)
Parse/[no]_with_duplicated_structured_data_id___________-8  1.99µs ± 1%  1.91µs ± 0%  -3.69%  (p=0.000 n=9+10)
Parse/[ok]_minimal______________________________________-8   263ns ± 1%   254ns ± 0%  -3.43%  (p=0.000 n=10+10)
Parse/[ok]_average_message______________________________-8  2.64µs ± 2%  2.62µs ± 0%    ~     (p=0.483 n=10+9)
Parse/[ok]_complicated_message__________________________-8  2.09µs ± 0%  2.08µs ± 0%    ~     (p=0.163 n=8+10)
Parse/[ok]_very_long_message____________________________-8  4.60µs ± 0%  4.56µs ± 0%  -0.87%  (p=0.000 n=8+10)
Parse/[ok]_all_max_length_and_complete__________________-8  5.16µs ± 2%  5.11µs ± 0%    ~     (p=0.190 n=10+10)
Parse/[ok]_all_max_length_except_structured_data_and_mes-8  3.72µs ± 1%  3.74µs ± 1%  +0.50%  (p=0.006 n=10+10)
Parse/[ok]_minimal_with_message_containing_newline______-8   283ns ± 0%   283ns ± 0%    ~     (p=0.353 n=7+10)
Parse/[ok]_w/o_procid,_w/o_structured_data,_with_message-8  1.02µs ± 1%  1.07µs ± 1%  +4.78%  (p=0.000 n=10+9)
Parse/[ok]_minimal_with_UTF-8_message___________________-8   523ns ± 0%   523ns ± 1%    ~     (p=0.525 n=9+10)
Parse/[ok]_minimal_with_UTF-8_message_starting_with_BOM_-8   526ns ± 0%   531ns ± 0%  +1.11%  (p=0.000 n=9+8)
Parse/[ok]_with_structured_data_id,_w/o_structured_data_-8  1.08µs ± 1%  1.08µs ± 0%    ~     (p=0.926 n=10+10)
Parse/[ok]_with_multiple_structured_data________________-8  1.71µs ± 1%  1.71µs ± 0%    ~     (p=0.181 n=10+10)
Parse/[ok]_with_escaped_backslash_within_structured_data-8  1.60µs ± 0%  1.61µs ± 1%  +1.08%  (p=0.000 n=9+10)
Parse/[ok]_with_UTF-8_structured_data_param_value,_with_-8  1.79µs ± 0%  1.80µs ± 1%  +0.45%  (p=0.000 n=10+9)

Fixes #21

I tried out your benchmarks with my library.

Some notes:

• Didn't originally support multiple sd elements, so that was added for these benchmarks. Wish the RFC read better on this.
• Don't support all the error messages you have here. An error is returned for malformed syslog format, but not what caused the error.
• No validation is done on the uniqueness of sd id. I'm using a different data structure as sd elements can have the key defined multiple times.
• Don't use pointers. Just the string conversion from the []byte.

Hi. I'm trying to use this library to parse messages that rsyslog sends over a TCP connection. All examples in the repository do a "dump" of the syslog.Result type, which shows the data that is contained within the concrete types, but there is no example that shows how to get (for instance) the message payload out of the syslog.Message interface.

I assume you need to typecast Result.Message into its concrete type to access the actual data, but this is not explained or shown anywhere in the documentation. Could this be clarified?

Users cannot use octet parser due to go module name inconsistency. Both develop branch and v2.0.0 tag ( the one with octet parser ) are not usable due to v2 being present in the module name.

This might be working fine locally / in development, but fails for external / Go dep users. This PR fixes all v2 mentions and can be validated with Go dep using

[[constraint]]
  name = "github.com/influxdata/go-syslog"
  branch = "develop"
  source = "https://github.com/lxfontes/go-syslog"

Hi, There's seems to be a problem with parsing of RFC5424 messages, that contain non-UTF8 bytes/sequences in free-form message field (MSG). Parser returns following error:

expecting a free-form optional message in UTF-8 (starting with or without BOM)

But according to RFC5424 this field may contain data in any encoding. Could you please make parser more relaxed about that issue?

Thanks!

dep ensure -add github.com/influxdata/go-syslog results in

Error downloading object: docs/rfc5424_appname.png (81860ca): Smudge error: Error downloading docs/rfc5424_appname.png (81860caa2b2707b7f5eb5d4cd1f1c29593b2af4c5ae99f042a761c4e356ff9d9): batch response: This repository is over its data quota. Purchase more data packs to restore access.

This is a follow-up of #19 which still appears broken. Consider this:

❯ go mod init foo
go: creating new go.mod: module foo

❯ go get github.com/influxdata/go-syslog@latest && cat go.mod 
module foo

go 1.13

require github.com/influxdata/go-syslog v1.0.1 // indirect

❯ go get github.com/influxdata/[email protected]
go: finding github.com/influxdata/go-syslog v2.0.0
go get github.com/influxdata/[email protected]: github.com/influxdata/[email protected]: invalid version: module contains a go.mod file, so major version must be compatible: should be v0 or v1, not v2

go get will never install a v2 version as the import path does not match. See https://github.com/golang/go/wiki/Modules#semantic-import-versioning for path names.

My feeling is that as this stage the right thing would be to release a 3.0 version (branched from 2.0) with a /v3 import path.

Hello,

I am trying to understand why did you choose to reject a version that is not between 1 and 999.

How I am testing

I am testing with a docker container with this command: docker run --log-driver syslog --log-opt syslog-address=udp://localhost:7890 alpine echo hello world

I obtain this syslog message: <30>Aug 8 13:56:23 6d8f79ab82bf[1451]: hello world\n

Docker is using the same RFC as you with the ABNF implementation: https://docs.docker.com/config/containers/logging/syslog/

Why I am thinking version range is not expected ?

In the RFC there is no 999, you can search for it but you will not find anything related to the version.

So why are you doing that, there is a reason for ?

I admittedly don't understand the purpose of all the pointers and indirection in the code, but i did a little light profiling and then rolled it in our own system and found that the extra pointers were causing more stress on the allocator and GC. I refactored the ragel system and some of the code to remove them and got between 10 and 60% speedups. If there is some other reason for keeping that indirection I would like to better understand it. I am also admittedly new to ragel and code generation, so if I botched some of the code changes let me know.

Thank you for the library, it was already fast, this is a little faster and more go-like.

benchmark                                                               old ns/op     new ns/op     delta
BenchmarkParse/[no]_empty_input__________________________________-4     270           233           -13.70%
BenchmarkParse/[no]_multiple_syslog_messages_on_multiple_lines___-4     519           322           -37.96%
BenchmarkParse/[no]_impossible_timestamp_________________________-4     1258          1065          -15.34%
BenchmarkParse/[no]_malformed_structured_data____________________-4     608           423           -30.43%
BenchmarkParse/[no]_with_duplicated_structured_data_id___________-4     1698          1397          -17.73%
BenchmarkParse/[ok]_minimal______________________________________-4     321           122           -61.99%
BenchmarkParse/[ok]_average_message______________________________-4     2588          2228          -13.91%
BenchmarkParse/[ok]_complicated_message__________________________-4     2176          1860          -14.52%
BenchmarkParse/[ok]_very_long_message____________________________-4     4501          4081          -9.33%
BenchmarkParse/[ok]_all_max_length_and_complete__________________-4     3514          3174          -9.68%
BenchmarkParse/[ok]_all_max_length_except_structured_data_and_mes-4     2115          1846          -12.72%
BenchmarkParse/[ok]_minimal_with_message_containing_newline______-4     384           157           -59.11%
BenchmarkParse/[ok]_w/o_procid,_w/o_structured_data,_with_message-4     1082          762           -29.57%
BenchmarkParse/[ok]_minimal_with_UTF-8_message___________________-4     608           370           -39.14%
BenchmarkParse/[ok]_with_structured_data_id,_w/o_structured_data_-4     1231          950           -22.83%
BenchmarkParse/[ok]_with_multiple_structured_data________________-4     1920          1603          -16.51%
BenchmarkParse/[ok]_with_escaped_backslash_within_structured_data-4     1667          1319          -20.88%
BenchmarkParse/[ok]_with_UTF-8_structured_data_param_value,_with_-4     1813          1596          -11.97%

This PR introduces several features and aspects:

• [x] Go modules
• [x] Interfaces
  • [x] syslog.Machines => parsers a byte slice
  • [x] syslog.Parsers => parsers supporting a stream
• [x] Streaming impl. of non-transparent framing for syslog transports, ie., RFC6587 (refs #16)
  • [x] Documentation
  • [ ] Error handling
• [x] Refactoring of existing RFC5424 to match interfaces and conventions
• [x] Refactoring of existing RFC5425 to match interfaces and conventions
• [x] CI setup

Note that I'll introduce BC with this PR.

This isn't a particularly fancy patch but adds RFC3164 support for streams.

My motivation is to use Lokis client tool promtail directly with RFC3164 devices without having a syslog-ng server in-between.

both nontransparent and octetcounting use RFC5424 which isn't used by many devices, i.e. OpenWrt or Ubiquiti routers.

Add a new function called NewParserRFC3164 to both.

Signed-off-by: Paul Spooren [email protected]

Hello,

We are trying to use go-syslog parser to parse syslogs for one of our system but our logs are in format as below:

Oct 11 22:14:15 su: 'su root' failed for lonvick on /dev/pts/8

So is there any way/standard to parse the logs in this format?

as we have checked the go-syslog supports logs in format of

<152> Oct 11 22:14:15 su: 'su root' failed for lonvick on /dev/pts/8

Any help on this will be appreciated.

https://github.com/influxdata/go-syslog/blob/ac565dc76ba6bb17b47140fb74355d1de7f19307/rfc5424/builder.go#L64-L65

Those two variables are defined on the package level. That means that two independent rfc5424.SyslogMessage objects with structured data can't be built concurrently – race detector correctly reports unsynchronised writes.

rfc3164 parser can parse log like logStr = "<134>Jul 16 02:15:13 an 200050021 id=OS time="2020-7-16 02:15:13" timezone=GMT(+0000)", but can't parse log like logStr = "<134>Jul 16 2020 02:15:13 an 200050021 id=OS time="2020-7-16 02:15:13" timezone=GMT(+0000)". It will cause error: expecting a Stamp timestamp [col 14].

I'm trying to parse messages from rsyslog's owfwd module. rsyslog uses BSD syslog messages (RFC 3164). However, the two parsers that can handle reading multiple syslog messages from a stream, nontransparent and octetcounting, both assume RFC 5424 style syslog messages.

Is it possible to add parsing multiple BSD-style syslog messages (with both framing methods) as well?

rsyslog documentation: https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html#tcp-framing