From 5d63f66fee9ffe21dbd8c7dbb0a15dfc691a4845 Mon Sep 17 00:00:00 2001
From: Mark Nellemann <mark.nellemann@gmail.com>
Date: Tue, 6 Oct 2020 05:10:19 +0200
Subject: [PATCH] Improve rfc3164 parser.

---
 .../biz/nellemann/syslogd/SyslogParser.java   | 42 +++++++------------
 .../nellemann/syslogd/SyslogParserTest.groovy | 18 +++++++-
 2 files changed, 31 insertions(+), 29 deletions(-)

diff --git a/src/main/java/biz/nellemann/syslogd/SyslogParser.java b/src/main/java/biz/nellemann/syslogd/SyslogParser.java
index b6397c8..528cfd6 100644
--- a/src/main/java/biz/nellemann/syslogd/SyslogParser.java
+++ b/src/main/java/biz/nellemann/syslogd/SyslogParser.java
@@ -37,30 +37,29 @@ public class SyslogParser {
 
     public static SyslogMessage parseRfc3164(final String input) throws NumberFormatException {
 
-        Pattern pattern = Pattern.compile("^<(\\d{1,3})>(\\D{3}\\s+\\d{1,2} \\d{2}:\\d{2}:\\d{2})\\s+(?:Message forwarded from )?([^\\s:]+):?\\s+(\\S+): (.*)", Pattern.CASE_INSENSITIVE);
+        Pattern pattern = Pattern.compile("^<(\\d{1,3})>(\\D{3}\\s+\\d{1,2} \\d{2}:\\d{2}:\\d{2})\\s+(Message forwarded from \\S+:|\\S+)\\s+(\\S+): (.*)", Pattern.CASE_INSENSITIVE);
         Matcher matcher = pattern.matcher(input);
         boolean matchFound = matcher.find();
         if(!matchFound) {
-            log.warn("parseRfc3164() - Match not found in: " + input);
+            //log.warn("parseRfc3164() - Match not found in: ");
+            System.err.println("!" + input);
             return null;
         }
 
-        final String pri = matcher.group(1);
-        final String date = matcher.group(2);
-        final String hostname = matcher.group(3);
-        final String application = matcher.group(4);
-        final String message = matcher.group(5);
+        String pri = matcher.group(1);
+        String date = matcher.group(2);
+        String hostname = matcher.group(3);
+        String application = matcher.group(4);
+        String message = matcher.group(5);
 
-        log.debug("PRI: " + pri);
-        log.debug("DATE: " + date);
-        log.debug("HOST: " + hostname);
-        log.debug("APP: " + application);
-        log.debug("MSG: " + message);
+        if(hostname.endsWith(":")) {
+            String[] tmp = hostname.split(" ");
+            hostname = tmp[tmp.length-1];
+            hostname = hostname.substring(0, hostname.length()-1);
+        }
 
         Integer facility = getFacility(pri);
         Integer severity = getSeverity(pri);
-        log.debug("facility: " + facility);
-        log.debug("severity: " + severity);
 
         SyslogMessage syslogMessage = new SyslogMessage(message.trim());
         syslogMessage.facility = Facility.getByNumber(facility);
@@ -79,7 +78,8 @@ public class SyslogParser {
         Matcher matcher = pattern.matcher(input);
         boolean matchFound = matcher.find();
         if(!matchFound) {
-            log.warn("parseRfc5424() - Match not found in: " + input);
+            //log.warn("parseRfc5424() - Match not found in: " + input);
+            System.err.println("!" + input);
             return null;
         }
 
@@ -93,20 +93,8 @@ public class SyslogParser {
         final String data = matcher.group(8);
         final String msg = matcher.group(9);
 
-        log.debug("PRI: " + pri);
-        log.debug("VER: " + ver);
-        log.debug("DATE: " + date);
-        log.debug("HOST: " + host);
-        log.debug("APP: " + app);
-        log.debug("PROCID: " + procId);
-        log.debug("MSGID: " + msgId);
-        log.debug("DATA: " + data);
-        log.debug("MSG: " + msg);
-
         Integer facility = getFacility(pri);
         Integer severity = getSeverity(pri);
-        log.debug("facility: " + facility);
-        log.debug("severity: " + severity);
 
         SyslogMessage syslogMessage = new SyslogMessage(msg.trim());
         syslogMessage.facility = Facility.getByNumber(facility);
diff --git a/src/test/groovy/biz/nellemann/syslogd/SyslogParserTest.groovy b/src/test/groovy/biz/nellemann/syslogd/SyslogParserTest.groovy
index 5c21140..9dd21bd 100644
--- a/src/test/groovy/biz/nellemann/syslogd/SyslogParserTest.groovy
+++ b/src/test/groovy/biz/nellemann/syslogd/SyslogParserTest.groovy
@@ -2,8 +2,6 @@ package biz.nellemann.syslogd
 
 import spock.lang.Specification
 import java.time.Instant
-import java.time.OffsetDateTime;
-
 class SyslogParserTest extends Specification {
 
     void "test rfc5424 message"() {
@@ -59,6 +57,20 @@ class SyslogParserTest extends Specification {
         msg.message == "mark : TTY=pts/1 ; PWD=/etc/rsyslog.d ; USER=root ; COMMAND=/usr/sbin/service rsyslog restart"
     }
 
+    /*
+    void "test gdm-session message"() {
+        setup:
+        String input = "<12>Oct  5 18:31:01 xps13 /usr/lib/gdm3/gdm-x-session[1921]: (EE) event5  - CUST0001:00 06CB:76AF Touchpad: kernel bug: Touch jump detected and discarded."
+
+        when:
+        SyslogMessage msg = SyslogParser.parseRfc3164(input)
+
+        then:
+        msg.application == "/usr/lib/gdm3/gdm-x-session[1921]"
+        msg.message == "(EE) event5  - CUST0001:00 06CB:76AF Touchpad: kernel bug: Touch jump detected and discarded."
+    }*/
+
+
     void "test parseRfc3164Timestamp"() {
 
         setup:
@@ -87,3 +99,5 @@ class SyslogParserTest extends Specification {
 
 }
 
+import java.time.OffsetDateTime;
+