Package: libparse-syslog-perl
Version: 1.10-4
Severity: normal
Forwarded: https://rt.cpan.org/Ticket/Display.html?id=63897
Tags: patch upstream
X-Debbugs-Cc: debian-p...@lists.debian.org
Dear Maintainer,
in Debian 12 rsyslog generates RFC3339 timestamps in the logs, which
looks like
2024-07-22T06:25:47.214320+02:00
that cannot be parsed by Parse::Syslog 1.10.
This issue is known upstream (see
https://rt.cpan.org/Ticket/Display.html?id=63897).
I extracted the patch to fix this from upstream bug report, added a
little test fixup (to the tests work with time zone different to CET)
and this looks good for me.
If you like, I could do a team upload with these patches applied and
maybe some housekeeping...
(maybe including a backports upload, since this hurts with the time
format change in rsyslog in Debian 12).
Or is it bad style to fix upstream "missing features" in Debian
package if upstream seems to be "inactive"? I don't know the team
policy here...
Greetings
Roland
From: Martin Schütte <i...@mschuette.name>
Date: Sun, 10 Apr 2021 18:56:47 +0200
Subject: Support for RFC3339 Timestamps
Bug: https://rt.cpan.org/Public/Bug/Display.html?id=63897
Origin: https://rt.cpan.org/Public/Bug/Display.html?id=63897
--- a/lib/Parse/Syslog.pm
+++ b/lib/Parse/Syslog.pm
@@ -82,6 +82,12 @@
my $time;
if($GMT) {
$time = timegm(@_);
+ # with explicit timezone:
+ if($GMT =~ /^([\+\-])(\d\d):(\d\d)$/) {
+ my $off_secs = 60 * (60*$2 + $3);
+ $off_secs *= -1 if ($1 eq '+');
+ $time += $off_secs;
+ }
}
else {
$time = timelocal(@_);
@@ -236,19 +242,33 @@
\s+
(?:\[LOG_[A-Z]+\]\s+)? # FreeBSD
(.*) # text -- 7
+ $/x or
+ $str =~ /^
+ (\d\d\d\d)-(\d\d)-(\d\d) # RFC3339 or syslog-ng ISO date -- 1, 2, 3
+ T
+ (\d+):(\d+):(\d+)(?:\.\d+)? # time (optional frac_sec) -- 4, 5, 6
+ (Z|[\+\-]\d\d:\d\d) # TZ -- 7
+ \s
+ ([-\w\.\@:]+) # host -- 8
+ \s+
+ (.*) # text -- 9
$/x or do
{
warn "WARNING: line not in syslog format: $str";
next line;
};
-
- my $mon = $months_map{$1};
- defined $mon or croak "unknown month $1\n";
-
- $self->_year_increment($mon);
-
+ my ($time, $host, $text);
# convert to unix time
- my $time = $self->str2time($5,$4,$3,$2,$mon,$self->{year}-1900,$self->{GMT});
+ if (defined($months_map{$1})) { # BSD Syslog
+ my $mon = $months_map{$1};
+ defined $mon or croak "unknown month $1\n";
+ $self->_year_increment($mon);
+ $time = $self->str2time($5,$4,$3,$2,$mon,$self->{year}-1900,$self->{GMT});
+ ($host, $text) = ($6, $7);
+ } else { # RFC3339/syslog-ng
+ $time = $self->str2time($6,$5,$4,$3,$2-1,$1-1900,$7);
+ ($host, $text) = ($8, $9);
+ }
if(not $self->{allow_future}) {
# accept maximum one day in the present future
if($time - time > 86400) {
@@ -256,9 +276,6 @@
next line;
}
}
-
- my ($host, $text) = ($6, $7);
-
# last message repeated ... times
if($text =~ /^(?:last message repeated|above message repeats) (\d+) time/) {
next line if defined $self->{repeat} and not $self->{repeat};
--- /dev/null
+++ b/t/linux-rfc3339syslog
@@ -0,0 +1,12 @@
+2001-08-12T04:55:36Z hathi last message repeated 6 times
+2001-08-12T04:55:06Z hathi sshd[1966]: error: Hm, dispatch protocol error: type 32 plen 4
+2001-08-12T04:55:36Z hathi last message repeated 6 times
+2001-08-12T04:56:36.123456Z hathi last message repeated 12 times
+2001-08-12T04:59:16Z hathi last message repeated 8 times
+2001-08-12T06:59:19+02:00 avalon avalon snort[2176]: IDS552/web-iis_IIS ISAPI Overflow ida: 212.217.33.195:4850 -> 192.168.17.1:80
+2001-08-12T05:59:19+01:00 avalon avalon snort[2176]: IDS243/web-cgi_http-cgi-pipe: 212.217.33.195:4850 -> 192.168.17.1:80
+2001-08-12T00:59:21.0-04:00 hathi sshd[1966]: error: Hm, dispatch protocol error: type 32 plen 4
+2001-08-12T00:59:56.98-04:00 hathi last message repeated 7 times
+2001-08-12T14:00:01+09:00 hathi sshd[1966]: error: Hm, dispatch protocol error: type 32 plen 4
+2001-01-27T17:59:28+00:00 saturne keytable: Loading keymap: fr-latin1 succeeded
+2001-01-28T19:21:28+03:30 pluton syslogd 1.3-3#33.1: restart (remote reception).
--- /dev/null
+++ b/t/rfc3339.t
@@ -0,0 +1,32 @@
+use Test;
+use lib "lib";
+BEGIN { plan tests => 41 };
+use Parse::Syslog;
+ok(1); # If we made it this far, we're ok.
+
+#########################
+
+my $parser = Parse::Syslog->new("t/linux-rfc3339syslog");
+open(PARSED, "<t/linux-parsed") or die "can't open t/linux-parsed: $!\n";
+while(my $sl = $parser->next) {
+ my $is = '';
+ $is .= "time : ".(localtime($sl->{timestamp}))."\n";
+ $is .= "host : $sl->{host}\n";
+ $is .= "program : $sl->{program}\n";
+ $is .= "pid : ".(defined $sl->{pid} ? $sl->{pid} : 'undef')."\n";
+ $is .= "text : $sl->{text}\n";
+ $is .= "\n";
+ print "$is";
+
+ my $shouldbe = '';
+ $shouldbe .= <PARSED>;
+ $shouldbe .= <PARSED>;
+ $shouldbe .= <PARSED>;
+ $shouldbe .= <PARSED>;
+ $shouldbe .= <PARSED>;
+ $shouldbe .= <PARSED>;
+
+ ok($is, $shouldbe);
+}
+
+# vim: set filetype=perl:
From: Roland Rosenfeld <rol...@debian.org>
Date: Tue, 23 Jul 2024 13:54:29 +0200
Subject: Fix t/rfc3339.t if timezone is not CET.
Same fix as in t/dst.t (fix released there in 1.06).
--- a/t/rfc3339.t
+++ b/t/rfc3339.t
@@ -1,10 +1,13 @@
use Test;
+use POSIX;
use lib "lib";
BEGIN { plan tests => 41 };
use Parse::Syslog;
ok(1); # If we made it this far, we're ok.
#########################
+$ENV{TZ} = 'CET-1CEST-2,M3.5.0/02:00:00,M10.5.0/03:00:00';
+POSIX::tzset();
my $parser = Parse::Syslog->new("t/linux-rfc3339syslog");
open(PARSED, "<t/linux-parsed") or die "can't open t/linux-parsed: $!\n";
