grafana
diff --git a/‎CHANGELOG.md
+2 b/‎CHANGELOG.md
+2
diff --git a/‎docs/sources/reference/components/loki/loki.source.syslog.md
+17-12 b/‎docs/sources/reference/components/loki/loki.source.syslog.md
+17-12
diff --git a/‎internal/component/loki/process/stages/util.go
+3-8 b/‎internal/component/loki/process/stages/util.go
+3-8
diff --git a/‎internal/component/loki/source/syslog/config/config.go
+63 b/‎internal/component/loki/source/syslog/config/config.go
+63
diff --git a/‎internal/component/loki/source/syslog/internal/syslogtarget/syslogparser/syslogparser.go
+62 b/‎internal/component/loki/source/syslog/internal/syslogtarget/syslogparser/syslogparser.go
+62
diff --git a/‎internal/component/loki/source/syslog/internal/syslogtarget/syslogparser/syslogparser_test.go
+136 b/‎internal/component/loki/source/syslog/internal/syslogtarget/syslogparser/syslogparser_test.go
+136
diff --git a/‎internal/component/loki/source/syslog/internal/syslogtarget/syslogtarget.go
+1-1 b/‎internal/component/loki/source/syslog/internal/syslogtarget/syslogtarget.go
+1-1
@@ -16,6 +16,8 @@ Main (unreleased)
 
 ### Enhancements
 
+- Add `rfc3164_default_to_current_year` argument to `loki.source.syslog` (@dehaansa)
+
 - Add `connection_name` support for `prometheus.exporter.mssql` (@bck01215)
 
 - Add livedebugging support for `prometheus.scrape` (@ravishankar15, @wildum)
 
@@ -49,7 +49,7 @@ You can use the following blocks with `loki.source.syslog`:
 
 | Name                                    | Description                                                                 | Required |
 | --------------------------------------- | --------------------------------------------------------------------------- | -------- |
-| [`listener`][listener]                  | Configures a listener for IETF Syslog (RFC5424) messages.                   | no       |
+| [`listener`][listener]                  | Configures a listener for Syslog messages.                                  | no       |
 | `listener` > [`tls_config`][tls_config] | Configures TLS settings for connecting to the endpoint for TCP connections. | no       |
 
 The > symbol indicates deeper levels of nesting.
@@ -65,17 +65,18 @@ The `listener` block defines the listen address and protocol where the listener
 The following arguments can be used to configure a `listener`.
 Only the `address` field is required and any omitted fields take their default values.
 
-| Name                     | Type          | Description                                                                   | Default   | Required |
-| ------------------------ | ------------- | ----------------------------------------------------------------------------- | --------- | -------- |
-| `address`                | `string`      | The `<host:port>` address to listen to for syslog messages.                   |           | yes      |
-| `idle_timeout`           | `duration`    | The idle timeout for TCP connections.                                         | `"120s"`  | no       |
-| `label_structured_data`  | `bool`        | Whether to translate syslog structured data to Loki labels.                   | `false`   | no       |
-| `labels`                 | `map(string)` | The labels to associate with each received syslog record.                     | `{}`      | no       |
-| `max_message_length`     | `int`         | The maximum limit to the length of syslog messages.                           | `8192`    | no       |
-| `protocol`               | `string`      | The protocol to listen to for syslog messages. Must be either `tcp` or `udp`. | `tcp`     | no       |
-| `syslog_format`          | `string`      | The format for incoming messages. Must be either `rfc5424` or `rfc3164`.      | `rfc5424` | no       |
-| `use_incoming_timestamp` | `bool`        | Whether to set the timestamp to the incoming syslog record timestamp.         | `false`   | no       |
-| `use_rfc5424_message`    | `bool`        | Whether to forward the full RFC5424-formatted syslog message.                 | `false`   | no       |
+| Name                              | Type          | Description                                                                            | Default   | Required |
+| --------------------------------- | ------------- | -------------------------------------------------------------------------------------- | --------- | -------- |
+| `address`                         | `string`      | The `<host:port>` address to listen to for syslog messages.                            |           | yes      |
+| `idle_timeout`                    | `duration`    | The idle timeout for TCP connections.                                                  | `"120s"`  | no       |
+| `label_structured_data`           | `bool`        | Whether to translate syslog structured data to Loki labels.                            | `false`   | no       |
+| `labels`                          | `map(string)` | The labels to associate with each received syslog record.                              | `{}`      | no       |
+| `max_message_length`              | `int`         | The maximum limit to the length of syslog messages.                                    | `8192`    | no       |
+| `protocol`                        | `string`      | The protocol to listen to for syslog messages. Must be either `tcp` or `udp`.          | `tcp`     | no       |
+| `rfc3164_default_to_current_year` | `bool`        | Whether to default the incoming timestamp of an `rfc3164` message to the current year. | `false`   | no       |
+| `syslog_format`                   | `string`      | The format for incoming messages. Must be either `rfc5424` or `rfc3164`.               | `rfc5424` | no       |
+| `use_incoming_timestamp`          | `bool`        | Whether to set the timestamp to the incoming syslog record timestamp.                  | `false`   | no       |
+| `use_rfc5424_message`             | `bool`        | Whether to forward the full RFC5424-formatted syslog message.                          | `false`   | no       |
 
 By default, the component assigns the log entry timestamp as the time it was processed.
 
@@ -86,6 +87,10 @@ All header fields from the parsed RFC5424 messages are brought in as internal la
 If `label_structured_data` is set, structured data in the syslog header is also translated to internal labels in the form of `__syslog_message_sd_<ID>_<KEY>`.
 For example, a  structured data entry of `[example@99999 test="yes"]` becomes the label `__syslog_message_sd_example_99999_test` with the value `"yes"`.
 
+The `rfc3164_default_to_current_year` argument is only relevant when `use_incoming_timestamp` is also set to `true`.
+`rfc3164` message timestamps don't contain a year, and this component's default behavior is to mimic Promtail behavior and leave the year as 0.
+Setting `rfc3164_default_to_current_year` to `true` sets the year of the incoming timestamp to the current year using the local time of the {{< param "PRODUCT_NAME" >}} instance.
+
 ### `tls_config`
 
 {{< docs/shared lookup="reference/components/tls-config-block.md" source="alloy" version="<ALLOY_VERSION>" >}}
 
@@ -6,6 +6,8 @@ import (
 	"strconv"
 	"strings"
 	"time"
+
+	"github.com/grafana/alloy/internal/util"
 )
 
 var (
@@ -150,14 +152,7 @@ func parseTimestampWithoutYear(layout string, location *time.Location, timestamp
 		return parsedTime, fmt.Errorf(ErrTimestampContainsYear, timestamp)
 	}
 
-	// Handle the case we're crossing the New Year's Eve midnight
-	if parsedTime.Month() == 12 && now.Month() == 1 {
-		parsedTime = parsedTime.AddDate(now.Year()-1, 0, 0)
-	} else if parsedTime.Month() == 1 && now.Month() == 12 {
-		parsedTime = parsedTime.AddDate(now.Year()+1, 0, 0)
-	} else {
-		parsedTime = parsedTime.AddDate(now.Year(), 0, 0)
-	}
+	util.SetYearForLimitedTimeFormat(&parsedTime, now)
 
 	return parsedTime, nil
 }
 
@@ -0,0 +1,63 @@
+package config
+
+import (
+	"time"
+
+	promconfig "github.com/prometheus/common/config"
+	"github.com/prometheus/common/model"
+)
+
+type SyslogFormat string
+
+const (
+	// A modern Syslog RFC
+	SyslogFormatRFC5424 = "rfc5424"
+	// A legacy Syslog RFC also known as BSD-syslog
+	SyslogFormatRFC3164 = "rfc3164"
+)
+
+// SyslogTargetConfig describes a scrape config that listens for log lines over syslog.
+type SyslogTargetConfig struct {
+	// ListenAddress is the address to listen on for syslog messages.
+	ListenAddress string `yaml:"listen_address"`
+
+	// ListenProtocol is the protocol used to listen for syslog messages.
+	// Must be either `tcp` (default) or `udp`
+	ListenProtocol string `yaml:"listen_protocol"`
+
+	// IdleTimeout is the idle timeout for tcp connections.
+	IdleTimeout time.Duration `yaml:"idle_timeout"`
+
+	// LabelStructuredData sets if the structured data part of a syslog message
+	// is translated to a label.
+	// [example@99999 test="yes"] => {__syslog_message_sd_example_99999_test="yes"}
+	LabelStructuredData bool `yaml:"label_structured_data"`
+
+	// Labels optionally holds labels to associate with each record read from syslog.
+	Labels model.LabelSet `yaml:"labels"`
+
+	// UseIncomingTimestamp sets the timestamp to the incoming syslog messages
+	// timestamp if it's set.
+	UseIncomingTimestamp bool `yaml:"use_incoming_timestamp"`
+
+	// UseRFC5424Message defines whether the full RFC5424 formatted syslog
+	// message should be pushed to Loki
+	UseRFC5424Message bool `yaml:"use_rfc5424_message"`
+
+	// Syslog format used at the target. Acceptable value is rfc5424 or rfc3164.
+	// Default is rfc5424.
+	SyslogFormat SyslogFormat `yaml:"syslog_format"`
+
+	// MaxMessageLength sets the maximum limit to the length of syslog messages
+	MaxMessageLength int `yaml:"max_message_length"`
+
+	TLSConfig promconfig.TLSConfig `yaml:"tls_config,omitempty"`
+
+	// When parsing an RFC3164 message, should the year be defaulted to the current year?
+	// When false, the year will default to 0.
+	RFC3164DefaultToCurrentYear bool `yaml:"rfc3164_default_to_current_year"`
+}
+
+func (config SyslogTargetConfig) IsRFC3164Message() bool {
+	return config.SyslogFormat == SyslogFormatRFC3164
+}
@@ -0,0 +1,62 @@
+package syslogparser
+
+import (
+	"bufio"
+	"fmt"
+	"io"
+	"time"
+
+	"github.com/grafana/alloy/internal/util"
+	"github.com/leodido/go-syslog/v4"
+	"github.com/leodido/go-syslog/v4/nontransparent"
+	"github.com/leodido/go-syslog/v4/octetcounting"
+	"github.com/leodido/go-syslog/v4/rfc3164"
+)
+
+// ParseStream parses a rfc5424 syslog stream from the given Reader, calling
+// the callback function with the parsed messages. The parser automatically
+// detects octet counting.
+// The function returns on EOF or unrecoverable errors.
+func ParseStream(isRFC3164Message bool, useRFC3164DefaultYear bool, r io.Reader, callback func(res *syslog.Result), maxMessageLength int) error {
+	buf := bufio.NewReaderSize(r, 1<<10)
+
+	b, err := buf.ReadByte()
+	if err != nil {
+		return err
+	}
+	_ = buf.UnreadByte()
+	cb := callback
+	if isRFC3164Message && useRFC3164DefaultYear {
+		cb = func(res *syslog.Result) {
+			if res.Message != nil {
+				rfc3164Msg := res.Message.(*rfc3164.SyslogMessage)
+				if rfc3164Msg.Timestamp != nil {
+					util.SetYearForLimitedTimeFormat(rfc3164Msg.Timestamp, time.Now())
+				}
+			}
+			callback(res)
+		}
+	}
+
+	// See https://datatracker.ietf.org/doc/html/rfc6587 for details on message framing
+	// If a syslog message starts with '<' the first piece of the message is the priority, which means it must use
+	// an explicit framing character.
+	if b == '<' {
+		if isRFC3164Message {
+			nontransparent.NewParserRFC3164(syslog.WithListener(cb), syslog.WithMaxMessageLength(maxMessageLength), syslog.WithBestEffort()).Parse(buf)
+		} else {
+			nontransparent.NewParser(syslog.WithListener(cb), syslog.WithMaxMessageLength(maxMessageLength), syslog.WithBestEffort()).Parse(buf)
+		}
+		// If a syslog message starts with a digit, it must use octet counting, and the first piece of the message is the length
+	} else if b >= '0' && b <= '9' {
+		if isRFC3164Message {
+			octetcounting.NewParserRFC3164(syslog.WithListener(cb), syslog.WithMaxMessageLength(maxMessageLength), syslog.WithBestEffort()).Parse(buf)
+		} else {
+			octetcounting.NewParser(syslog.WithListener(cb), syslog.WithMaxMessageLength(maxMessageLength), syslog.WithBestEffort()).Parse(buf)
+		}
+	} else {
+		return fmt.Errorf("invalid or unsupported framing. first byte: '%s'", string(b))
+	}
+
+	return nil
+}
@@ -0,0 +1,136 @@
+package syslogparser_test
+
+import (
+	"io"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/grafana/alloy/internal/component/loki/source/syslog/internal/syslogtarget/syslogparser"
+	"github.com/leodido/go-syslog/v4"
+	"github.com/leodido/go-syslog/v4/rfc3164"
+	"github.com/leodido/go-syslog/v4/rfc5424"
+	"github.com/stretchr/testify/require"
+)
+
+var (
+	defaultMaxMessageLength = 8192
+)
+
+func TestParseStream_OctetCounting(t *testing.T) {
+	r := strings.NewReader("23 <13>1 - - - - - - First24 <13>1 - - - - - - Second")
+
+	results := make([]*syslog.Result, 0)
+	cb := func(res *syslog.Result) {
+		results = append(results, res)
+	}
+
+	err := syslogparser.ParseStream(false, false, r, cb, defaultMaxMessageLength)
+	require.NoError(t, err)
+
+	require.Equal(t, 2, len(results))
+	require.NoError(t, results[0].Error)
+	require.Equal(t, "First", *results[0].Message.(*rfc5424.SyslogMessage).Message)
+	require.NoError(t, results[1].Error)
+	require.Equal(t, "Second", *results[1].Message.(*rfc5424.SyslogMessage).Message)
+}
+
+func TestParseStream_ValidParseError(t *testing.T) {
+	// This message can not parse fully but is valid when using the BestEffort Parser Option.
+	r := strings.NewReader("17 <13>1       First")
+
+	results := make([]*syslog.Result, 0)
+	cb := func(res *syslog.Result) {
+		results = append(results, res)
+	}
+
+	err := syslogparser.ParseStream(false, false, r, cb, defaultMaxMessageLength)
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(results))
+	require.EqualError(t, results[0].Error, "expecting a RFC3339MICRO timestamp or a nil value [col 6]")
+	require.True(t, results[0].Message.(*rfc5424.SyslogMessage).Valid())
+}
+
+func TestParseStream_OctetCounting_LongMessage(t *testing.T) {
+	r := strings.NewReader("8198 <13>1 - - - - - - First")
+
+	results := make([]*syslog.Result, 0)
+	cb := func(res *syslog.Result) {
+		results = append(results, res)
+	}
+
+	err := syslogparser.ParseStream(false, false, r, cb, defaultMaxMessageLength)
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(results))
+	require.EqualError(t, results[0].Error, "message too long to parse. was size 8198, max length 8192")
+}
+
+func TestParseStream_NewlineSeparated(t *testing.T) {
+	r := strings.NewReader("<13>1 - - - - - - First\n<13>1 - - - - - - Second\n")
+
+	results := make([]*syslog.Result, 0)
+	cb := func(res *syslog.Result) {
+		results = append(results, res)
+	}
+
+	err := syslogparser.ParseStream(false, false, r, cb, defaultMaxMessageLength)
+	require.NoError(t, err)
+
+	require.Equal(t, 2, len(results))
+	require.NoError(t, results[0].Error)
+	require.Equal(t, "First", *results[0].Message.(*rfc5424.SyslogMessage).Message)
+	require.NoError(t, results[1].Error)
+	require.Equal(t, "Second", *results[1].Message.(*rfc5424.SyslogMessage).Message)
+}
+
+func TestParseStream_InvalidStream(t *testing.T) {
+	r := strings.NewReader("invalid")
+
+	err := syslogparser.ParseStream(false, false, r, func(_ *syslog.Result) {}, defaultMaxMessageLength)
+	require.EqualError(t, err, "invalid or unsupported framing. first byte: 'i'")
+}
+
+func TestParseStream_EmptyStream(t *testing.T) {
+	r := strings.NewReader("")
+
+	err := syslogparser.ParseStream(false, false, r, func(_ *syslog.Result) {}, defaultMaxMessageLength)
+	require.Equal(t, err, io.EOF)
+}
+
+func TestParseStream_RFC3164Timestamp(t *testing.T) {
+	r := strings.NewReader("<13>Dec  1 00:00:00 host Message")
+
+	results := make([]*syslog.Result, 0)
+	cb := func(res *syslog.Result) {
+		results = append(results, res)
+	}
+
+	err := syslogparser.ParseStream(true, false, r, cb, defaultMaxMessageLength)
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(results))
+	require.NoError(t, results[0].Error)
+	require.Equal(t, "Message", *results[0].Message.(*rfc3164.SyslogMessage).Message)
+	require.Equal(t, "host", *results[0].Message.(*rfc3164.SyslogMessage).Hostname)
+	require.Equal(t, time.Date(0, 12, 1, 0, 0, 0, 0, time.UTC), *results[0].Message.(*rfc3164.SyslogMessage).Timestamp)
+}
+
+func TestParseStream_RFC3164TimestampWithYear(t *testing.T) {
+	r := strings.NewReader("<13>Dec  1 00:00:00 host Message")
+
+	results := make([]*syslog.Result, 0)
+	cb := func(res *syslog.Result) {
+		results = append(results, res)
+	}
+
+	err := syslogparser.ParseStream(true, true, r, cb, defaultMaxMessageLength)
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(results))
+	require.NoError(t, results[0].Error)
+	require.Equal(t, "Message", *results[0].Message.(*rfc3164.SyslogMessage).Message)
+	require.Equal(t, "host", *results[0].Message.(*rfc3164.SyslogMessage).Hostname)
+	require.Equal(t, time.Date(time.Now().Year(), 12, 1, 0, 0, 0, 0, time.UTC), *results[0].Message.(*rfc3164.SyslogMessage).Timestamp)
+}
@@ -12,7 +12,7 @@ import (
 	"time"
 
 	"github.com/go-kit/log"
-	"github.com/grafana/loki/v3/clients/pkg/promtail/scrapeconfig"
+	scrapeconfig "github.com/grafana/alloy/internal/component/loki/source/syslog/config"
 	"github.com/grafana/loki/v3/clients/pkg/promtail/targets/target"
 	"github.com/grafana/loki/v3/pkg/logproto"
 	"github.com/leodido/go-syslog/v4"