[receiver/syslog] Syslog Receiver fails to parse long messages, even with a max_log_size set
#33182
Comments
sinkingpoint
added
bug
|
Pinging code owners:
See Adding Labels via Comments if you do not have permissions to add labels yourself. |
sinkingpoint
changed the title
max_log_length set
sinkingpoint
changed the title
max_log_length setmax_log_size set
|
As far as I understand that part, the parser has no option the pass the Looking at this construction part non of those takes a maxsize into account. The used version of |
|
I looked into this further and found that go-syslog justifies the hard limit based on |
|
@djaglowski considering that that repo has been archived, would it make sense to fork it here? |
|
Actually I'm happy to see that the original author has recently created a fork and is making updates again! We should definitely switch in my opinion. https://github.com/leodido/go-syslog. |
|
If I'm reading this correctly, the v4 release from leodido/go-syslog allows us to fix this issue, as it contains the |
|
PR switching the dependency to the fork: #33205. |
|
Hi! I would like to pick this issue up if still available |
|
@djaglowski I went ahead and created a draft PR making use of the new option the updated library. I do have some open questions which I have added to the PR description - appreciate any feedback there |
**Description:** add `MaxLogSize` parameter to `syslog` parser. Note
that for this option to be available, `enable_octet_counting` needs to
be set to `true`, as this is an option that is exclusive to the
`octetcounting` parser in the [syslog
library](github.com/leodido/go-syslog).
One aspect where I'm not sure about yet is regarding the placement of
the `max_log_size` option: Right now, this option is also set within the
`TCP` input configuration, whereas this new option would be one layer
above, i.e. in the syslog base config. This would mean that this option
could potentially be set to different values in the parser and tcp input
config like for example:
```
receivers:
syslog:
protocol: rfc5424
enable_octet_counting: true
max_log_size: 200000000 # 200MiB
tcp:
listen_address: :4278
max_log_size: 100000000 # 100MiB
exporters:
debug:
service:
pipelines:
logs:
receivers: [syslog]
exporters: [debug]
```
For now I have implemented this in a way where if nothing is set if the
tcp input config, the max_log_size value from the syslog base config
will be used. If set in the tcp config, the tcp input will use that more
specific value. To me this makes the most sense right now, but I
appreciate any feedback on this.
**Link to tracking Issue:** #33182
**Testing:** so far added unit test for the syslog parser, will also add
some tests for the syslog input config to test the behavior described
above.
**Documentation:** TODO, will add once we have figured out all open
questions
---------
Signed-off-by: Florian Bacher <florian.bacher@dynatrace.com>
|
This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping Pinging code owners:
See Adding Labels via Comments if you do not have permissions to add labels yourself. |
|
Resolved by #33777. |
Component(s)
receiver/syslog
What happened?
Description
When using the syslog receiver, we can only parse messages up to the default maximum length (8192 octets), even with a
max_log_sizeset much higher.Steps to Reproduce
max_log_sizeof 100MiB)message too long to parse. was size 40366, max length 8192Expected Result
The message should parse properly
Actual Result
The message fails to parse
Collector version
v0.100.0
Environment information
Environment
OS: Debian Bookworm
OpenTelemetry Collector configuration
Log output
{"level":"error","ts":1716356887.9432147,"caller":"helper/transformer.go:101","msg":"Failed to process entry","kind":"receiver","name":"syslog/db","data_type":"logs","operator_id":"syslog_input_internal_parser","operator_type ":"syslog_parser","error":"message too long to parse. was size 40366, max length 8192","action":"send","stacktrace":"github.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza/operator/helper.(*TransformerOperator).HandleEntryError\\n\\tgithub.co m/open-telemetry/opentelemetry-collector-contrib/pkg/stanza@v0.99.0/operator/helper/transformer.go:101\\ngithub.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza/operator/helper.(*ParserOperator).ParseWith\\n\\tgithub.com/open-telemetry/opentelemetry-collect or-contrib/pkg/stanza@v0.99.0/operator/helper/parser.go:140\\ngithub.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza/operator/helper.(*ParserOperator).ProcessWithCallback\\n\\tgithub.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza@v0.99.0/ope rator/helper/parser.go:112\\ngithub.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza/operator/parser/syslog.(*Parser).Process\\n\\tgithub.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza@v0.99.0/operator/parser/syslog/parser.go:54\\ngithub.com/ open-telemetry/opentelemetry-collector-contrib/pkg/stanza/operator/helper.(*WriterOperator).Write\\n\\tgithub.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza@v0.99.0/operator/helper/writer.go:53\\ngithub.com/open-telemetry/opentelemetry-collector-contrib/p kg/stanza/operator/input/tcp.(*Input).handleMessage\\n\\tgithub.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza@v0.99.0/operator/input/tcp/input.go:191\\ngithub.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza/operator/input/tcp.(*Input).goHan dleMessages.func1\\n\\tgithub.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza@v0.99.0/operator/input/tcp/input.go:152"}Additional context
This seems to be because we aren't parsing a value into here: https://github.com/influxdata/go-syslog/blob/66067a10754ae90b9540d5312989ae685413c4fe/octetcounting/parser.go#L46 so we get stuck with the default limit
The text was updated successfully, but these errors were encountered: