Syslogd regex problem

Description

I thinks there's something wrong in the way syslogd extracts fields from syslog messages.

I've a syslog event that seems to be decoded correctly:

2013-07-19 15:55:22,585 DEBUG [Syslog Event Receiver[0.0.0.0:10514]] SyslogReceiver: Waiting on a datagram to arrive
2013-07-19 15:55:22,586 DEBUG [SyslogConnection] ConvertToEvent: Converting to event: org.opennms.netmgt.syslogd.ConvertToEvent@1646dfda[Sender=otrs-test<sanitized_fqhn>/<sanitized_ip>,Port=54025,Acknowledged Events=[],Event=<null>]
2013-07-19 15:55:22,586 TRACE [SyslogConnection] CustomSyslogParser: priority code = 11
2013-07-19 15:55:22,586 TRACE [SyslogConnection] CustomSyslogParser: message = Jul 19 15:55:21 otrs-test OTRS-CGI-76[14364]: [Error][Kernel::System::ImportExport::ObjectBackend::CI2CILink::ImportDataSave][Line:468]: CILink: Could not create link between CIs!
2013-07-19 15:55:22,586 TRACE [SyslogConnection] CustomSyslogParser: stdMsg = true
2013-07-19 15:55:22,586 TRACE [SyslogConnection] CustomSyslogParser: timestamp = Jul 19 15:55:21
2013-07-19 15:55:22,586 TRACE [SyslogConnection] CustomSyslogParser: message = otrs-test OTRS-CGI-76[14364]: [Error][Kernel::System::ImportExport::ObjectBackend::CI2CILink::ImportDataSave][Line:468]: CILink: Could not create link between CIs!
2013-07-19 15:55:22,586 TRACE [SyslogConnection] CustomSyslogParser: pattern = ^((.+?):? (.*))\n?$
2013-07-19 15:55:22,586 TRACE [SyslogConnection] CustomSyslogParser: host group = 2
2013-07-19 15:55:22,586 TRACE [SyslogConnection] CustomSyslogParser: message group = 3
2013-07-19 15:55:22,586 TRACE [SyslogConnection] CustomSyslogParser: Syslog message 'otrs-test OTRS-CGI-76[14364]: [Error][Kernel::System::ImportExport::ObjectBackend::CI2CILink::ImportDataSave][Line:468]: CILink: Could not create link between CIs!' matched regexp '^((.+?):? (.*))\n?$'
2013-07-19 15:55:22,586 TRACE [SyslogConnection] CustomSyslogParser: Found host 'otrs-test'
2013-07-19 15:55:22,586 TRACE [SyslogConnection] CustomSyslogParser: Found message 'OTRS-CGI-76[14364]: [Error][Kernel::System::ImportExport::ObjectBackend::CI2CILink::ImportDataSave][Line:468]: CILink: Could not create link between CIs!'
2013-07-19 15:55:22,586 DEBUG [SyslogConnection] ConvertToEvent: got syslog message org.opennms.netmgt.syslogd.SyslogMessage@7126ca3[facility=user,severity=Error,version=<null>,date=Fri Jul 19 17:55:21 CEST 2013,hostname=otrs-test,message ID=<null>,process name=OTRS-CGI-76,process ID=14364,message=[Error][Kernel::System::ImportExport::ObjectBackend::CI2CILink::ImportDataSave][Line:468]: CILink: Could not create link between CIs!]

But, in the end, for some unknown reason syslogd seems to mangle the hostname:

2013-07-19 15:55:22,590 DEBUG [SyslogConnection] SyslogMessage: Unable to resolve hostname 'OTRS-CGI-76[14364]' in syslog message.
java.lang.IllegalArgumentException: Invalid IPAddress OTRS-CGI-76[14364]
at org.opennms.core.utils.InetAddressUtils.getInetAddress(InetAddressUtils.java:168)
at org.opennms.core.utils.InetAddressUtils.addr(InetAddressUtils.java:534)
at org.opennms.netmgt.syslogd.SyslogMessage.getHostAddress(SyslogMessage.java:132)
at org.opennms.netmgt.syslogd.ConvertToEvent.make(ConvertToEvent.java:220)
at org.opennms.netmgt.syslogd.ConvertToEvent.make(ConvertToEvent.java:139)
at org.opennms.netmgt.syslogd.SyslogConnection.run(SyslogConnection.java:107)
at java.lang.Thread.run(Thread.java:662)

Here's my syslogd-configuration:

<?xml version="1.0"?>
<syslogd-configuration>
<configuration
syslog-port="10514"
new-suspect-on-message="false"
parser="org.opennms.netmgt.syslogd.CustomSyslogParser"
forwarding-regexp="^((.+?):? (.*))\n?$"
matching-group-host="2"
matching-group-message="3"
discard-uei="DISCARD-MATCHING-MESSAGES"
/>

Do you have some idea about what's going wrong here?

Best regards,

Cyrille

Environment

OpenNMS Configuration OpenNMS Version: 1.10.11-SNAPSHOT Home Directory: /usr/share/opennms RRD store by Group: false Web-Application Logfiles: /var/log/opennms/webapp Reports directory: /var/lib/opennms/reports Jetty http host: null Jetty http port: 80 Jetty https host: null Jetty https port: null System Configuration Server Time: Tue Jul 23 16:20:38 CEST 2013 Client Time: Tue Jul 23 2013 16:20:35 GMT+0200 (Romance Standard Time) Java Version: 1.6.0_26 Sun Microsystems Inc. Java Virtual Machine: 20.1-b02 Sun Microsystems Inc. Operating System: Linux 2.6.32-5-amd64 (amd64) Servlet Container: jetty/7.5.1.v20110908 (Servlet Spec 2.5) User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0

Acceptance / Success Criteria

None

Lucidchart Diagrams

Activity

Show:

Seth Leger February 27, 2017 at 11:32 AM

I'll add a test that at least can be used to check the behavior of the message that was logged at 22,586.

Seth Leger February 27, 2017 at 11:29 AM

I've set up a unit test with these same settings and cannot reproduce the problem in the latest code. I've also reviewed the 1.10 version that this was opened against and there are no changes in the relevant sections.

I think that the exception (at timestamp 22,590) is from a different syslog message than the other logs (at timestamp 22,586) but without the content for the 22,590 message, it's impossible to reproduce this. Marking as cannot reproduce.

Cannot Reproduce

Details
Assignee
Seth Leger
Reporter
Cyrille Bollu
Components
Affects versions
1.10.11
Priority
Major

PagerDuty

Created July 23, 2013 at 10:27 AM

Updated March 8, 2017 at 2:31 PM

Resolved February 27, 2017 at 11:29 AM

Syslogd regex problem

Description

Environment

Acceptance / Success Criteria

Lucidchart Diagrams

Activity

Seth Leger February 27, 2017 at 11:32 AM

Seth Leger February 27, 2017 at 11:29 AM

DetailsAssigneeSeth LegerSeth LegerReporterCyrille BolluCyrille BolluComponentsAffects versions1.10.11PriorityMajor

Details

Assignee

Reporter

Components

Affects versions

Priority

PagerDutyPagerDuty Incident

PagerDuty

Details
Assignee
Seth Leger
Reporter
Cyrille Bollu
Components
Affects versions
1.10.11
Priority
Major

PagerDuty