[pkg/stanza][receiver/syslogreceiver] Add syslog priority/facility text option

Author: sugaf1204

pkg/stanza/docs/operators/syslog_parser.md

@@ -15,6 +15,7 @@ The `syslog_parser` operator parses the string-type field selected by `parse_fro
 | `location`                           | `UTC`            | The geographic location (timezone) to use when parsing the timestamp (Syslog RFC 3164 only). The available locations depend on the local IANA Time Zone database. [This page](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) contains many examples, such as `America/New_York`. |
 | `enable_octet_counting`              | `false`          | Wether or not to enable [RFC 6587](https://www.rfc-editor.org/rfc/rfc6587#section-3.4.1) Octet Counting on syslog parsing (Syslog RFC 5424 only).  |
 | `allow_skip_pri_header`              | `false`          | Allow parsing records without the PRI header. If this setting is enabled, messages without the PRI header will be successfully parsed. The `severity` and `severity_text` fields as well as the `priority` and `facility` attributes will not be set. If this setting is disabled (the default), messages without PRI header will throw an exception. To set this setting to `true`, the `enable_octet_counting` setting must be `false`.|
+| `priority_facility_to_text`          | `false`          | Convert `priority` and `facility` attributes to syslog keyword strings (`priority` uses severity short levels like `crit`, and `facility` uses facility keywords like `auth`). |
 | `non_transparent_framing_trailer`    | `nil`            | The framing trailer, either `LF` or `NUL`, when using [RFC 6587](https://www.rfc-editor.org/rfc/rfc6587#section-3.4.2) Non-Transparent-Framing (Syslog RFC 5424 only). |
 | `timestamp`                          | `nil`            | An optional [timestamp](../types/timestamp.md) block which will parse a timestamp field before passing the entry to the output operator                                                                                               |
 | `severity`                           | `nil`            | An optional [severity](../types/severity.md) block which will parse a severity field before passing the entry to the output operator                                                                                                  |

pkg/stanza/operator/parser/syslog/config.go

@@ -54,6 +54,7 @@ type BaseConfig struct {
 	Location                     string  `mapstructure:"location,omitempty"`
 	EnableOctetCounting          bool    `mapstructure:"enable_octet_counting,omitempty"`
 	AllowSkipPriHeader           bool    `mapstructure:"allow_skip_pri_header,omitempty"`
+	PriorityFacilityToText       bool    `mapstructure:"priority_facility_to_text,omitempty"`
 	NonTransparentFramingTrailer *string `mapstructure:"non_transparent_framing_trailer,omitempty"`
 	MaxOctets                    int     `mapstructure:"max_octets,omitempty"`
 }
@@ -105,6 +106,7 @@ func (c Config) Build(set component.TelemetrySettings) (operator.Operator, error
 		location:                     location,
 		enableOctetCounting:          c.EnableOctetCounting,
 		allowSkipPriHeader:           c.AllowSkipPriHeader,
+		priorityFacilityToText:       c.PriorityFacilityToText,
 		nonTransparentFramingTrailer: c.NonTransparentFramingTrailer,
 		maxOctets:                    c.MaxOctets,
 	}, nil

pkg/stanza/operator/parser/syslog/config_test.go

@@ -40,6 +40,15 @@ func TestUnmarshal(t *testing.T) {
 					return cfg
 				}(),
 			},
+			{
+				Name: "priority_facility_to_text",
+				Expect: func() *Config {
+					cfg := NewConfig()
+					cfg.Protocol = RFC3164
+					cfg.PriorityFacilityToText = true
+					return cfg
+				}(),
+			},
 			{
 				Name: "location",
 				Expect: func() *Config {

pkg/stanza/operator/parser/syslog/parser.go

@@ -33,6 +33,7 @@ type Parser struct {
 	location                     *time.Location
 	enableOctetCounting          bool
 	allowSkipPriHeader           bool
+	priorityFacilityToText       bool
 	nonTransparentFramingTrailer *string
 	maxOctets                    int
 }
@@ -144,9 +145,14 @@ func (p *Parser) parseRFC3164(syslogMessage *rfc3164.SyslogMessage, skipPriHeade
 	}
 
 	if !skipPriHeaderValues {
-		value["priority"] = syslogMessage.Priority
 		value["severity"] = syslogMessage.Severity
-		value["facility"] = syslogMessage.Facility
+		if p.priorityFacilityToText {
+			value["priority"] = syslogMessage.SeverityShortLevel()
+			value["facility"] = syslogMessage.FacilityLevel()
+		} else {
+			value["priority"] = syslogMessage.Priority
+			value["facility"] = syslogMessage.Facility
+		}
 	}
 
 	return p.toSafeMap(value)
@@ -166,9 +172,14 @@ func (p *Parser) parseRFC5424(syslogMessage *rfc5424.SyslogMessage, skipPriHeade
 	}
 
 	if !skipPriHeaderValues {
-		value["priority"] = syslogMessage.Priority
 		value["severity"] = syslogMessage.Severity
-		value["facility"] = syslogMessage.Facility
+		if p.priorityFacilityToText {
+			value["priority"] = syslogMessage.SeverityShortLevel()
+			value["facility"] = syslogMessage.FacilityLevel()
+		} else {
+			value["priority"] = syslogMessage.Priority
+			value["facility"] = syslogMessage.Facility
+		}
 	}
 
 	return p.toSafeMap(value)

pkg/stanza/operator/parser/syslog/syslogtest/data.go

@@ -141,6 +141,34 @@ func CreateCases(basicConfig func() *syslog.Config) ([]Case, error) {
 			true,
 			true,
 		},
+		{
+			"RFC3164PriorityFacilityToText",
+			func() *syslog.Config {
+				cfg := basicConfig()
+				cfg.Protocol = syslog.RFC3164
+				cfg.Location = location["utc"].String()
+				cfg.PriorityFacilityToText = true
+				return cfg
+			}(),
+			&entry.Entry{
+				Body: fmt.Sprintf("<34>%s 1.2.3.4 apache_server: test message", ts.Format("Jan _2 15:04:05")),
+			},
+			&entry.Entry{
+				Timestamp:    time.Date(ts.Year(), ts.Month(), ts.Day(), ts.Hour(), ts.Minute(), ts.Second(), 0, location["utc"]),
+				Severity:     entry.Error2,
+				SeverityText: "crit",
+				Attributes: map[string]any{
+					"appname":  "apache_server",
+					"facility": "auth",
+					"hostname": "1.2.3.4",
+					"message":  "test message",
+					"priority": "crit",
+				},
+				Body: fmt.Sprintf("<34>%s 1.2.3.4 apache_server: test message", ts.Format("Jan _2 15:04:05")),
+			},
+			true,
+			true,
+		},
 		{
 			"RFC3164Detroit",
 			func() *syslog.Config {

pkg/stanza/operator/parser/syslog/testdata/config.yaml

@@ -6,6 +6,10 @@ rfc3164:
 rfc5424:
   type: syslog_parser
   protocol: rfc5424
+priority_facility_to_text:
+  type: syslog_parser
+  protocol: rfc3164
+  priority_facility_to_text: true
 location:
   type: syslog_parser
   protocol: rfc5424

receiver/syslogreceiver/README.md

@@ -27,6 +27,7 @@ Parses Syslogs received over TCP or UDP.
 | `enable_octet_counting`             | `false`      | Whether or not to enable [RFC 6587](https://www.rfc-editor.org/rfc/rfc6587#section-3.4.1) Octet Counting on syslog parsing (Syslog RFC 5424 and TCP only).                                                                                                                                                                                                                                                                                                        |
 | `max_octets`                        | `8192`      | The maximum octets for messages using [RFC 6587](https://www.rfc-editor.org/rfc/rfc6587#section-3.4.1) Octet Counting on syslog parsing (Syslog RFC 5424 and TCP only).                                                                                                                                                                                                                                                                                          |
 | `allow_skip_pri_header`             | `false`          | Allow parsing records without the PRI header. If this setting is enabled, messages without the PRI header will be successfully parsed. The `SeverityNumber` and `SeverityText` fields as well as the `priority` and `facility` attributes will not be set on the log record. If this setting is disabled (the default), messages without PRI header will throw an exception. To set this setting to `true`, the `enable_octet_counting` setting must be `false`. |
+| `priority_facility_to_text`         | `false`      | Convert `priority` and `facility` attributes to syslog keyword strings (`priority` uses severity short levels like `crit`, and `facility` uses facility keywords like `auth`). |
 | `non_transparent_framing_trailer`   | `nil`        | The framing trailer, either `LF` or `NUL`, when using [RFC 6587](https://www.rfc-editor.org/rfc/rfc6587#section-3.4.2) Non-Transparent-Framing (Syslog RFC 5424 and TCP only).                                                                                                                                                                                                                                                                                   |
 | `attributes`                        | {}           | A map of `key: value` labels to add to the entry's attributes                                                                                                                                                                                                                                                                                                                                                                                                    |
 | `resource`                          | {}           | A map of `key: value` labels to add to the entry's resource                                                                                                                                                                                                                                                                                                                                                                                                      |
@@ -155,4 +156,3 @@ receivers:
     protocol: rfc3164
     location: UTC
 ```
-