For confirmed bugs, please report:
- Version: 6.3.2
- Operating System: FreeBSD
- GitHub Link: https://github.com/elastic/beats/issues/9323
- Steps to Reproduce: With the system clock on the computer where filebeat is installed set to the month of December, attempt to ingest a syslog message using the syslog input plugin. These are the errors I get:
2018-12-02T07:38:44.727Z ERROR [syslog] syslog/input.go:114 can't not parse event as syslog rfc3164 {"message": "Dec 02 07:38:44 freebsd-11-2 crontab[81334]: (root) BEGIN EDIT (root)"}
This is a properly formatted rfc3164 syslog message, as far as I can tell. Looking at the source code, the month strings are defined in the file syslog_rfc3164.rl. The definition is:
month = ( "Jan" ("uary")? | "Feb" "ruary"? | "Mar" "ch"? | "Apr" "il"? | "Ma" "y"? | "Jun" "e"? | "Jul" "y"? | "Aug" "ust"? | "Sep" ("tember")? | "Oct" "ober"? | "Nov" "ember"? | "ec" "ember"?) >tok %month;
I'm guessing that it should be:
month = ( "Jan" ("uary")? | "Feb" "ruary"? | "Mar" "ch"? | "Apr" "il"? | "Ma" "y"? | "Jun" "e"? | "Jul" "y"? | "Aug" "ust"? | "Sep" ("tember")? | "Oct" "ober"? | "Nov" "ember"? | "Dec" "ember"?) >tok %month;
That is, there is a missing capital D from the December string. Because of this, any syslog message with the month of December in the date will trigger the error.