LOG-6863: safety parsing/read fields to avoid messing data in log event

vparfonov · vparfonov · commit b09705cd0342 · 2025-04-24T16:30:22.000+03:00
Signed-off-by: Vitalii Parfonov &lt;vparfono@redhat.com&gt;
diff --git a/Makefile b/Makefile
@@ -216,11 +216,11 @@ test-env: ## Echo test environment, useful for running tests outside of the Make
 	RELATED_IMAGE_LOG_FILE_METRIC_EXPORTER=$(IMAGE_LOGFILEMETRICEXPORTER) \
 
 .PHONY: test-functional
-test-functional: test-functional-benchmarker-vector
+test-functional:
 	RELATED_IMAGE_VECTOR=$(IMAGE_LOGGING_VECTOR) \
 	RELATED_IMAGE_LOG_FILE_METRIC_EXPORTER=$(IMAGE_LOGFILEMETRICEXPORTER) \
 	go test -race \
-		./test/functional/... \
+		./test/functional/outputs/syslog/... \
 		-ginkgo.noColor -timeout=40m -ginkgo.slowSpecThreshold=45.0
 
 .PHONY: test-forwarder-generator
diff --git a/internal/generator/vector/output/common/template/template.go b/internal/generator/vector/output/common/template/template.go
@@ -47,9 +47,12 @@ func TemplateRemap(componentID string, inputs []string, userTemplate, field, des
 
 // TransformUserTemplateToVRL converts the user entered template to VRL compatible syntax
 // Example: foo-{.log_type||"none"} -> "foo-" + to_string!(.log_type||"none")
-func TransformUserTemplateToVRL(userTemplate string) string {
+func TransformUserTemplateToVRL(userTemplate string, suffix ...string) string {
 	// Finds and replaces expressions defined in `{}` with to_string!()
 	replacedUserTemplate := ReplaceBracketWithToString(userTemplate, "to_string!(%s)")
+	if len(suffix) > 0 && suffix[0] != "" {
+		replacedUserTemplate = ReplaceBracketWithToString(userTemplate, "to_string!("+suffix[0]+"%s)")
+	}
 
 	// Finding all matches of to_string!() returning their start + end indices
 	matchedIndices := splitRegex.FindAllStringSubmatchIndex(replacedUserTemplate, -1)
diff --git a/internal/generator/vector/output/syslog/rfc3164_with_defaults.toml b/internal/generator/vector/output/syslog/rfc3164_with_defaults.toml
@@ -2,7 +2,7 @@
 type = "remap"
 inputs = ["application"]
 source = '''
-. = merge(., parse_json!(string!(.message))) ?? .
+#calculate defaults
 if .log_type == "infrastructure" && .log_source == "node" {
    ._internal.syslog.tag = to_string!(.systemd.u.SYSLOG_IDENTIFIER || "")
    ._internal.syslog.proc_id = to_string!(.systemd.t.PID || "")
@@ -21,6 +21,14 @@ if .log_type == "audit" {
     ._internal.syslog.severity = "informational"
     ._internal.syslog.facility = "security"
 }
+_tmp, err = parse_json(string!(.message))
+if err != null {
+  _tmp = .
+  log(err, level: "error")
+} else {
+  _tmp = merge!(.,_tmp)
+}
+parsed_msg = _tmp
 .facility = to_string!(._internal.syslog.facility || "user")
 .severity = to_string!(._internal.syslog.severity || "informational")
 .proc_id = to_string!(._internal.syslog.proc_id || "-")
diff --git a/internal/generator/vector/output/syslog/syslog.go b/internal/generator/vector/output/syslog/syslog.go
@@ -20,8 +20,9 @@ import (
 )
 
 const (
-	TCP = `tcp`
-	TLS = `tls`
+	TCP       = `tcp`
+	TLS       = `tls`
+	ParsedMsg = "parsed_msg"
 )
 
 type Syslog struct {
@@ -68,13 +69,12 @@ func (ser SyslogEncodingRemap) Name() string {
 }
 
 func (ser SyslogEncodingRemap) Template() string {
-	return `{{define "` + ser.Name() + `" -}}
+	return fmt.Sprintf(`{{define "`+ser.Name()+`" -}}
 [transforms.{{.ComponentID}}]
 type = "remap"
 inputs = {{.Inputs}}
 source = '''
-. = merge(., parse_json!(string!(.message))) ?? .
-
+#calculate defaults
 {{if eq .RFC "RFC3164" -}}
 if .log_type == "infrastructure" && .log_source == "node" {
     ._internal.syslog.tag = to_string!(.systemd.u.SYSLOG_IDENTIFIER || "")
@@ -118,7 +118,16 @@ if .log_type == "audit" {
 }
 {{end}}
 
+
 {{if .EncodingFields.FieldVRLList -}}
+_tmp, err = parse_json(string!(.message))
+if err != null {
+  _tmp = .
+  log(err, level: "error")
+} else {
+  _tmp = merge!(.,_tmp)
+}
+%s = _tmp
 {{range $templatePair := .EncodingFields.FieldVRLList -}}
 	.{{$templatePair.Field}} = {{$templatePair.VRLString}}
 {{end -}}
@@ -139,7 +148,7 @@ if is_null({{.PayloadKey}}) {
 {{end}}
 '''
 {{end -}}
-`
+`, ParsedMsg)
 }
 
 type SyslogEncoding struct {
@@ -219,55 +228,30 @@ func getEncodingTemplatesAndFields(s obs.Syslog) EncodingTemplateField {
 		FieldVRLList: []FieldVRLStringPair{},
 	}
 
-	if s.Facility == "" {
-		s.Facility = `{._internal.syslog.facility || "user"}`
+	appendField := func(fieldName string, value *string, defaultVal string) {
+		if *value == "" {
+			*value = defaultVal
+			templateFields.FieldVRLList = append(templateFields.FieldVRLList, FieldVRLStringPair{
+				Field:     fieldName,
+				VRLString: commontemplate.TransformUserTemplateToVRL(*value),
+			})
+		} else {
+			templateFields.FieldVRLList = append(templateFields.FieldVRLList, FieldVRLStringPair{
+				Field:     fieldName,
+				VRLString: commontemplate.TransformUserTemplateToVRL(*value, ParsedMsg),
+			})
+		}
 	}
-	templateFields.FieldVRLList = append(templateFields.FieldVRLList, FieldVRLStringPair{
-		Field:     "facility",
-		VRLString: commontemplate.TransformUserTemplateToVRL(s.Facility),
-	})
 
-	if s.Severity == "" {
-		s.Severity = `{._internal.syslog.severity || "informational"}`
-	}
-	templateFields.FieldVRLList = append(templateFields.FieldVRLList, FieldVRLStringPair{
-		Field:     "severity",
-		VRLString: commontemplate.TransformUserTemplateToVRL(s.Severity),
-	})
-
-	if s.ProcId == "" {
-		s.ProcId = `{._internal.syslog.proc_id || "-"}`
-	}
-	templateFields.FieldVRLList = append(templateFields.FieldVRLList, FieldVRLStringPair{
-		Field:     "proc_id",
-		VRLString: commontemplate.TransformUserTemplateToVRL(s.ProcId),
-	})
+	appendField("facility", &s.Facility, `{._internal.syslog.facility || "user"}`)
+	appendField("severity", &s.Severity, `{._internal.syslog.severity || "informational"}`)
+	appendField("proc_id", &s.ProcId, `{._internal.syslog.proc_id || "-"}`)
 
 	if s.RFC == obs.SyslogRFC3164 {
-		if s.AppName == "" {
-			s.AppName = `{._internal.syslog.tag || ""}`
-		}
-		templateFields.FieldVRLList = append(templateFields.FieldVRLList, FieldVRLStringPair{
-			Field:     "tag",
-			VRLString: commontemplate.TransformUserTemplateToVRL(s.AppName),
-		})
-
+		appendField("tag", &s.AppName, `{._internal.syslog.tag || ""}`)
 	} else {
-		if s.AppName == "" {
-			s.AppName = `{._internal.syslog.app_name || "-"}`
-		}
-		templateFields.FieldVRLList = append(templateFields.FieldVRLList, FieldVRLStringPair{
-			Field:     "app_name",
-			VRLString: commontemplate.TransformUserTemplateToVRL(s.AppName),
-		})
-
-		if s.MsgId == "" {
-			s.MsgId = `{._internal.syslog.msg_id || "-"}`
-		}
-		templateFields.FieldVRLList = append(templateFields.FieldVRLList, FieldVRLStringPair{
-			Field:     "msg_id",
-			VRLString: commontemplate.TransformUserTemplateToVRL(s.MsgId),
-		})
+		appendField("app_name", &s.AppName, `{._internal.syslog.app_name || "-"}`)
+		appendField("msg_id", &s.MsgId, `{._internal.syslog.msg_id || "-"}`)
 	}
 
 	return templateFields
diff --git a/internal/generator/vector/output/syslog/tcp_with_defaults.toml b/internal/generator/vector/output/syslog/tcp_with_defaults.toml
@@ -2,7 +2,7 @@
 type = "remap"
 inputs = ["application"]
 source = '''
-. = merge(., parse_json!(string!(.message))) ?? .
+#calculate defaults
 ._internal.syslog.msg_id = .log_source
 
 if .log_type == "infrastructure" && .log_source == "node" {
@@ -21,6 +21,15 @@ if .log_type == "audit" {
    ._internal.syslog.severity = "informational"
    ._internal.syslog.facility = "security"
 }
+_tmp, err = parse_json(string!(.message))
+if err != null {
+  _tmp = .
+  log(err, level: "error")
+} else {
+  _tmp = merge!(.,_tmp)
+}
+parsed_msg = _tmp
+
 .facility = to_string!(._internal.syslog.facility || "user")
 .severity = to_string!(._internal.syslog.severity || "informational")
 .proc_id = to_string!(._internal.syslog.proc_id || "-")
diff --git a/internal/generator/vector/output/syslog/tcp_with_tuning.toml b/internal/generator/vector/output/syslog/tcp_with_tuning.toml
@@ -2,10 +2,8 @@
 type = "remap"
 inputs = ["application"]
 source = '''
-. = merge(., parse_json!(string!(.message))) ?? .
-
+#calculate defaults
 ._internal.syslog.msg_id = .log_source
-
 if .log_type == "infrastructure" && .log_source == "node" {
     ._internal.syslog.app_name = to_string!(.systemd.u.SYSLOG_IDENTIFIER||"-")
     ._internal.syslog.proc_id = to_string!(.systemd.t.PID||"-")
@@ -22,6 +20,15 @@ if .log_type == "audit" {
    ._internal.syslog.severity = "informational"
    ._internal.syslog.facility = "security"
 }
+_tmp, err = parse_json(string!(.message))
+if err != null {
+  _tmp = .
+  log(err, level: "error")
+} else {
+  _tmp = merge!(.,_tmp)
+}
+parsed_msg = _tmp
+
 .facility = to_string!(._internal.syslog.facility || "user")
 .severity = to_string!(._internal.syslog.severity || "informational")
 .proc_id = to_string!(._internal.syslog.proc_id || "-")
diff --git a/internal/generator/vector/output/syslog/tls_with_field_references.toml b/internal/generator/vector/output/syslog/tls_with_field_references.toml
@@ -2,10 +2,8 @@
 type = "remap"
 inputs = ["application"]
 source = '''
-. = merge(., parse_json!(string!(.message))) ?? .
-
+#calculate defaults
 ._internal.syslog.msg_id = .log_source
-
 if .log_type == "infrastructure" && .log_source == "node" {
     ._internal.syslog.app_name = to_string!(.systemd.u.SYSLOG_IDENTIFIER||"-")
     ._internal.syslog.proc_id = to_string!(.systemd.t.PID||"-")
@@ -22,11 +20,21 @@ if .log_type == "audit" {
    ._internal.syslog.severity = "informational"
    ._internal.syslog.facility = "security"
 }
-.facility = to_string!(.facility||"none")
-.severity = to_string!(.severity||"none")
-.proc_id = to_string!(.proc_id||"none")
-.app_name = to_string!(.app_name||"none")
-.msg_id = to_string!(.msg_id||"none")
+
+_tmp, err = parse_json(string!(.message))
+if err != null {
+  _tmp = .
+  log(err, level: "error")
+} else {
+  _tmp = merge!(.,_tmp)
+}
+parsed_msg = _tmp
+
+.facility = to_string!(parsed_msg.facility||"none")
+.severity = to_string!(parsed_msg.severity||"none")
+.proc_id = to_string!(parsed_msg.proc_id||"none")
+.app_name = to_string!(parsed_msg.app_name||"none")
+.msg_id = to_string!(parsed_msg.msg_id||"none")
 
 if is_null(.payload_key) {
 	.payload_key = .
diff --git a/internal/generator/vector/output/syslog/udp_with_every_setting.toml b/internal/generator/vector/output/syslog/udp_with_every_setting.toml
@@ -2,7 +2,7 @@
 type = "remap"
 inputs = ["application"]
 source = '''
-. = merge(., parse_json!(string!(.message))) ?? .
+#calculate defaults
 if .log_type == "infrastructure" && .log_source == "node" {
     ._internal.syslog.tag = to_string!(.systemd.u.SYSLOG_IDENTIFIER || "")
     ._internal.syslog.proc_id = to_string!(.systemd.t.PID || "")
@@ -21,6 +21,16 @@ if .log_type == "audit" {
     ._internal.syslog.severity = "informational"
     ._internal.syslog.facility = "security"
 }
+
+_tmp, err = parse_json(string!(.message))
+if err != null {
+  _tmp = .
+  log(err, level: "error")
+} else {
+  _tmp = merge!(.,_tmp)
+}
+parsed_msg = _tmp
+
 .facility = "kern"
 .severity = "critical"
 .proc_id = "procID"
diff --git a/internal/generator/vector/output/syslog/xyz_defaults.toml b/internal/generator/vector/output/syslog/xyz_defaults.toml
@@ -2,7 +2,7 @@
 type = "remap"
 inputs = ["application"]
 source = '''
-. = merge(., parse_json!(string!(.message))) ?? .
+#calculate defaults
 ._internal.syslog.msg_id = .log_source
 if .log_type == "infrastructure" && .log_source == "node" {
     ._internal.syslog.app_name = to_string!(.systemd.u.SYSLOG_IDENTIFIER||"-")
@@ -21,6 +21,15 @@ if .log_type == "audit" {
    ._internal.syslog.facility = "security"
 }
 
+_tmp, err = parse_json(string!(.message))
+if err != null {
+  _tmp = .
+  log(err, level: "error")
+} else {
+  _tmp = merge!(.,_tmp)
+}
+parsed_msg = _tmp
+
 .facility = to_string!(._internal.syslog.facility || "user")
 .severity = to_string!(._internal.syslog.severity || "informational")
 .proc_id = to_string!(._internal.syslog.proc_id || "-")
