Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

syslog date parsing fails in non-English locales

Description

openNMS doesn't create events from my syslog messages since the upgrade to 1.10

Here's syslogd-configuration.xml:

root@opennms:/etc/opennms/syslog# cat ../syslogd-configuration.xml
<?xml version="1.0"?>
<syslogd-configuration>
<configuration
syslog-port="10514"
new-suspect-on-message="false"
parser="org.opennms.netmgt.syslogd.CustomSyslogParser"
forwarding-regexp="^((.+?) (.*))\n?$"
matching-group-host="2"
matching-group-message="3"
discard-uei="DISCARD-MATCHING-MESSAGES"
/>

<!--
</snip>
-->

<import-file>syslog/ApacheHTTPD.syslog.xml</import-file>
<import-file>syslog/LinuxKernel.syslog.xml</import-file>
<import-file>syslog/OpenSSH.syslog.xml</import-file>
<import-file>syslog/Sudo.syslog.xml</import-file>
<import-file>syslog/Belnet.xml</import-file>
<!-- <import-file>syslog/DiscardAll.xml</import-file> -->

<hideMessage>
<hideMatch>
<match type="substr" expression="TEST"/>
</hideMatch>
</hideMessage>

And here's a trace of syslogd when receiving a syslog message:

012-03-14 17:10:20,711 DEBUG [Syslog Event Receiver[0.0.0.0:10514]] SyslogReceiver: Wating on a datagram to arrive
2012-03-14 17:10:20,712 DEBUG [SyslogConnection] ConvertToEvent: Converting to event: org.opennms.netmgt.syslogd.ConvertToEvent@7fd38ffc[Sender=....,Port=45961,Acknowledged Events=[],Event=<null>]
2012-03-14 17:10:20,713 TRACE [SyslogConnection] CustomSyslogParser: priority code = 81
2012-03-14 17:10:20,713 TRACE [SyslogConnection] CustomSyslogParser: message = Mar 14 17:10:25 petrus sudo: cyrille : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/cyrille ; USER=root ; COMMAND=/usr/bin/vi /etc/aliases
2012-03-14 17:10:20,713 TRACE [SyslogConnection] CustomSyslogParser: stdMsg = true
2012-03-14 17:10:20,713 TRACE [SyslogConnection] CustomSyslogParser: timestamp = Mar 14 17:10:25
2012-03-14 17:10:20,713 DEBUG [SyslogConnection] CustomSyslogParser: Unable to parse date 'Mar 14 17:10:25'
java.text.ParseException: Unparseable date: "Mar 14 17:10:25"
at java.text.DateFormat.parse(DateFormat.java:337)
at org.opennms.netmgt.syslogd.SyslogParser.parseDate(SyslogParser.java:120)
at org.opennms.netmgt.syslogd.CustomSyslogParser.parse(CustomSyslogParser.java:139)
at org.opennms.netmgt.syslogd.ConvertToEvent.make(ConvertToEvent.java:200)
at org.opennms.netmgt.syslogd.ConvertToEvent.make(ConvertToEvent.java:139)
at org.opennms.netmgt.syslogd.SyslogConnection.run(SyslogConnection.java:107)
at java.lang.Thread.run(Thread.java:662)
2012-03-14 17:10:20,714 TRACE [SyslogConnection] CustomSyslogParser: message = petrus sudo: cyrille : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/cyrille ; USER=root ; COMMAND=/usr/bin/vi /etc/aliases
2012-03-14 17:10:20,714 TRACE [SyslogConnection] CustomSyslogParser: pattern = ^((.+?) (.*))\n?$
2012-03-14 17:10:20,714 TRACE [SyslogConnection] CustomSyslogParser: host group = 2
2012-03-14 17:10:20,714 TRACE [SyslogConnection] CustomSyslogParser: message group = 3
2012-03-14 17:10:20,714 TRACE [SyslogConnection] CustomSyslogParser: Syslog message 'petrus sudo: cyrille : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/cyrille ; USER=root ; COMMAND=/usr/bin/vi /etc/aliases' matched regexp '^((.+?) (.*))\n?$'
2012-03-14 17:10:20,714 TRACE [SyslogConnection] CustomSyslogParser: Found host 'petrus'
2012-03-14 17:10:20,714 TRACE [SyslogConnection] CustomSyslogParser: Found message 'sudo: cyrille : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/cyrille ; USER=root ; COMMAND=/usr/bin/vi /etc/aliases'
2012-03-14 17:10:20,714 DEBUG [SyslogConnection] ConvertToEvent: got syslog message org.opennms.netmgt.syslogd.SyslogMessage@1a922af4[facility=authpriv,severity=Alert,version=<null>,date=<null>,hostname=petrus,message ID=<null>,process name=sudo,process ID=0,message= cyrille : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/cyrille ; USER=root ; COMMAND=/usr/bin/vi /etc/aliases]

Thanks for the help,

Cyrille

Acceptance / Success Criteria

None

Lucidchart Diagrams

Activity

Benjamin Reed March 19, 2012 at 12:47 PM

turns out it was a locale issue, I set the locale on all the DateFormat objects to Locale.ROOT and then things parse correctly.

Cyrille Bollu March 19, 2012 at 8:19 AM

Hi Benjamin,

I've until now pasted extract of the syslogd.log file. But, there's also another log in output.log.

Whenever, openNMS processes a new syslog message, I get the following lines in output.log:

Exception in thread "SyslogConnection" java.lang.NullPointerException
at java.util.Calendar.setTime(Calendar.java:1075)
at java.text.SimpleDateFormat.format(SimpleDateFormat.java:876)
at java.text.SimpleDateFormat.format(SimpleDateFormat.java:869)
at java.text.DateFormat.format(DateFormat.java:316)
at org.opennms.netmgt.EventConstants.formatToString(EventConstants.java:1185)
at org.opennms.netmgt.model.events.EventBuilder.setCreationTime(EventBuilder.java:139)
at org.opennms.netmgt.syslogd.ConvertToEvent.make(ConvertToEvent.java:215)
at org.opennms.netmgt.syslogd.ConvertToEvent.make(ConvertToEvent.java:139)
at org.opennms.netmgt.syslogd.SyslogConnection.run(SyslogConnection.java:107)
at java.lang.Thread.run(Thread.java:662)

I think some error handling might be missing in ConvertToEvent to handle the case when the parser couldn't get the syslog message's date.

BR,

Cyrille

Cyrille Bollu March 16, 2012 at 10:52 AM

Nope. That's a paste issue on jira; My regex do contains the asterisks.

Could you provide me a syslogd.log trace of a matching syslog message? I believe it would help me to solve this issue.

BR,

Cyrille

Benjamin Reed March 16, 2012 at 9:14 AM

Dunno about the other parsing issues, but this definitely won't match:

<match type="regex" expression="^sudo:\s+(.?) : user NOT in sudoers ; TTY=(.?) ; PWD=(.?) ; USER=(.?) ; COMMAND=(.*?)$" />
<match type="regex" expression="^(.?) : user NOT in sudoers ; TTY=(.?) ; PWD=(.?) ; USER=(.?) ; COMMAND=(.*?)$" />

you're doing ".?" in your regexes which means it will match 0 or 1 of any character. You need ".*?" (note the asterisk)

Cyrille Bollu March 16, 2012 at 4:40 AM

Unfortunately, it sitll doesn't work with the nightly snapshot:

root@opennms:/etc/opennms# apt-cache policy opennms
opennms:
Installé : 1.10.1-0.20120315.34
Candidat : 1.10.1-0.20120315.34
Table de version :

I've tried with both following regex without success:

<match type="regex" expression="^sudo:\s+(.?) : user NOT in sudoers ; TTY=(.?) ; PWD=(.?) ; USER=(.?) ; COMMAND=(.*?)$" />
<match type="regex" expression="^(.?) : user NOT in sudoers ; TTY=(.?) ; PWD=(.?) ; USER=(.?) ; COMMAND=(.*?)$" />

all that I get is still:

2012-03-16 09:35:49,003 DEBUG [Syslog Event Receiver[0.0.0.0:10514]] SyslogReceiver: Wating on a datagram to arrive
2012-03-16 09:35:49,009 DEBUG [SyslogConnection] ConvertToEvent: Converting to event: org.opennms.netmgt.syslogd.ConvertToEvent@4048cfeb[Sender=petrus....,Port=52058,Acknowledged Events=[],Event=<null>]
2012-03-16 09:35:49,013 TRACE [SyslogConnection] CustomSyslogParser: priority code = 81
2012-03-16 09:35:49,013 TRACE [SyslogConnection] CustomSyslogParser: message = Mar 16 09:36:00 petrus sudo: cyrille : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/cyrille ; USER=root ; COMMAND=/usr/bin/vi /etc/aliases
2012-03-16 09:35:49,014 TRACE [SyslogConnection] CustomSyslogParser: stdMsg = true
2012-03-16 09:35:49,014 TRACE [SyslogConnection] CustomSyslogParser: timestamp = Mar 16 09:36:00
2012-03-16 09:35:49,015 DEBUG [SyslogConnection] CustomSyslogParser: Unable to parse date 'Mar 16 09:36:00'
java.text.ParseException: Unparseable date: "Mar 16 09:36:00"
at java.text.DateFormat.parse(DateFormat.java:337)
at org.opennms.netmgt.syslogd.SyslogParser.parseDate(SyslogParser.java:119)
at org.opennms.netmgt.syslogd.CustomSyslogParser.parse(CustomSyslogParser.java:139)
at org.opennms.netmgt.syslogd.ConvertToEvent.make(ConvertToEvent.java:200)
at org.opennms.netmgt.syslogd.ConvertToEvent.make(ConvertToEvent.java:139)
at org.opennms.netmgt.syslogd.SyslogConnection.run(SyslogConnection.java:107)
at java.lang.Thread.run(Thread.java:662)
2012-03-16 09:35:49,015 TRACE [SyslogConnection] CustomSyslogParser: message = petrus sudo: cyrille : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/cyrille ; USER=root ; COMMAND=/usr/bin/vi /etc/aliases
2012-03-16 09:35:49,015 TRACE [SyslogConnection] CustomSyslogParser: pattern = ^((.+?) (.*))\n?$
2012-03-16 09:35:49,015 TRACE [SyslogConnection] CustomSyslogParser: host group = 2
2012-03-16 09:35:49,015 TRACE [SyslogConnection] CustomSyslogParser: message group = 3
2012-03-16 09:35:49,015 TRACE [SyslogConnection] CustomSyslogParser: Syslog message 'petrus sudo: cyrille : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/cyrille ; USER=root ; COMMAND=/usr/bin/vi /etc/aliases' matched regexp '^((.+?) (.*))\n?$'
2012-03-16 09:35:49,015 TRACE [SyslogConnection] CustomSyslogParser: Found host 'petrus'
2012-03-16 09:35:49,015 TRACE [SyslogConnection] CustomSyslogParser: Found message 'sudo: cyrille : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/cyrille ; USER=root ; COMMAND=/usr/bin/vi /etc/aliases'
2012-03-16 09:35:49,015 DEBUG [SyslogConnection] ConvertToEvent: got syslog message org.opennms.netmgt.syslogd.SyslogMessage@5b85ec5d[facility=authpriv,severity=Alert,version=<null>,date=<null>,hostname=petrus,message ID=<null>,process name=sudo,process ID=0,message=cyrille : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/cyrille ; USER=root ; COMMAND=/usr/bin/vi /etc/aliases]

I will be in training for the next 4 hours, but will try to catch you on IRC afterwards.

BR,

Cyrille

Fixed

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Priority

PagerDuty

Created March 14, 2012 at 12:50 PM
Updated January 27, 2017 at 4:21 PM
Resolved March 19, 2012 at 12:47 PM