I use opentelemetry-collector (contrib 0.82.0) and syslogreceiver. I'm getting error parsed value was not rfc3164 or rfc5424 compliant for some logs:
{
"level": "error",
"ts": 1693341000.02045,
"caller": "helper/transformer.go:99",
"msg": "Failed to process entry",
"kind": "receiver",
"name": "syslog",
"data_type": "logs",
"operator_id": "syslog_input_internal_parser",
"operator_type": "syslog_parser",
"error": "parsed value was not rfc3164 or rfc5424 compliant",
"action": "send",
"entry": {
"observed_timestamp": "2023-08-29T20:30:00.020397777Z",
"timestamp": "0001-01-01T00:00:00Z",
"body": "<7>Aug 29 16:30:00 dev app-logs: 2023-08-29 20:29:11,604 [app] ERROR error log\\n\tat backtrace",
"severity": 0,
"scope_name": ""
},
"stacktrace": "github.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza/operator/helper.(*TransformerOperator).HandleEntryError\n\tgithub.com/open-telemetry/opentelemetry-collector-contrib/pkg/[email protected]/operator/helper/transformer.go:99\ngithub.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza/operator/helper.(*ParserOperator).ParseWith\n\tgithub.com/open-telemetry/opentelemetry-collector-contrib/pkg/[email protected]/operator/helper/parser.go:140\ngithub.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza/operator/helper.(*ParserOperator).ProcessWithCallback\n\tgithub.com/open-telemetry/opentelemetry-collector-contrib/pkg/[email protected]/operator/helper/parser.go:112\ngithub.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza/operator/parser/syslog.(*Parser).Process\n\tgithub.com/open-telemetry/opentelemetry-collector-contrib/pkg/[email protected]/operator/parser/syslog/syslog.go:153\ngithub.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza/operator/helper.(*WriterOperator).Write\n\tgithub.com/open-telemetry/opentelemetry-collector-contrib/pkg/[email protected]/operator/helper/writer.go:53\ngithub.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza/operator/input/tcp.(*Input).handleMessage\n\tgithub.com/open-telemetry/opentelemetry-collector-contrib/pkg/[email protected]/operator/input/tcp/tcp.go:321\ngithub.com/open-telemetry/opentelemetry-collector-contrib/pkg/stanza/operator/input/tcp.(*Input).goHandleMessages.func1\n\tgithub.com/open-telemetry/opentelemetry-collector-contrib/pkg/[email protected]/operator/input/tcp/tcp.go:282"
}
Root cause is that log body message contains non printable characters (e.g. tabs in Java backtrace), which is violation of RFC3164. Problem is that I can't configure sender to follow RFC3164.
Can I configure some operator in syslog receiver, which will preprocess body message before real syslog RFC3164 collector parser to avoid this problem? I would say simple replace of \t -> \\t will be a solution.
Of course processor are designed for data modification, but I can't use any processor here, because problem is on the receiver level.
You can receive logs using the tcp or udp receiver, preprocess using operators, and then pass the data to the syslog_parser operator.
The following receiver configs are equivalent except that the second allows for preprocessing:
receivers:
syslog:
tcp:
listen_address: ...
protocol: ...
tcplog:
listen_address: ...
operators:
# preprocess here
- syslog_parser:
protocol: ...
Tou can use the add operator to reformat and overwrite the log's body. Like many other operators, the add operator supports an expression language which contains a replace function.
receivers:
tcplog:
listen_address: ...
operators:
- type: add
field: body
value: EXPR(replace(body, '\t', '\\t'))
- type: syslog_parser
protocol: rfc3164