My org is using the Custom UDP Logs integration to ingest RFC 5424 syslog messages from several network appliances. One of the appliances includes structured data with a parameter value containing a double backslash, for example:
When these messages are processed, the syslog processor fails with the following error:
syslog failed to process field "message": parsing error at position 105: unexpected EOF
As referenced in an existing GitHub issue, this message is fully compliant with RFC 5424 section 6.3.3 (which requires escaping " , \ and ] inside PARAM-VALUE by prefixing them with \).
I’ve implemented a small fix that resolves the issue and wanted to quickly check whether this bug is already being worked on or if there is a plan to fix it.
While Elastic Agent uses beats under the hood, if you are using an Elastic Agent integration you need to also check the issues in the integrations repository, I could not find anything related to this error.
I'm using Custom UDP Logs version 2.4.0 and Elastic Agent version 9.3.0. And yes, I do have that option checked. That is where the issue comes from. You can validate this fails yourself by sending a syslog with structured data that has a param value containing an escaped \.
Like I said though, I do have a fix I wrote that meets the requirements of the RFC and doesn't fail on the escaped backslash. I just wanted to make sure this wasn't the already being worked (as the beats contribution guide states to do.)
Also, this is not an issue with the integration itself, this is certainly a beat issue.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
