RFC 5424 explicitly allows timestamp to be a nilvalue. I have a device which generates logs of this format that I am attempting to collect, but filebeat appears to only accept messages that have a timestamp specified.
Having taken a quick look at the code I believe this is happening because parseAndCreateEvent5424 in filebeat/input/syslog/input.go checks for ev.IsValid which checks the day/hour/minute/second fields having been initialized.
Here is a short python program that demonstrates the problem if pointed at a filebeat instance (change the SYSLOG_IP variable). I have tested this against 7.16.2 as well as 8.0.0-beta1 as well as both auto and rfc5424 syslog formats.
SYSLOG_IP='192.168.4.14'
SYSLOG_PORT=514
original_msg = "<142>1 - 1.2.3.4 Host - - - FAILING COPIED MESSAGE"
changed_msg = "<142>1 2022-01-01T01:23:45.003Z 1.2.3.4 Host - - - GOOD CHANGED MESSAGE"
def send(msg):
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(msg.encode('utf-8'), (SYSLOG_IP, SYSLOG_PORT))
send(original_msg)
send(changed_msg)