Fix RFC 5424 syslog parser to handle \\ and \" escapes in structured data

[Copilot]

The sd_raw scanner in the Ragel grammar only recognized \] as a valid escape sequence, but RFC 5424 §6.3.3 requires \", \\, and \]. Messages with escaped backslashes (e.g. tenantNodePath="1\\2") would fail with unexpected EOF.

Grammar fix (rfc5424.rl):

-    sd_raw_values = ((bs ']') | (any - sd_raw_escape));
+    sd_raw_values = ((bs escape_chars) | (any - sd_raw_escape));

escape_chars is already defined as ('"' | ']' | bs) and used by the param_value rule — sd_raw was the only path that didn't use it.

• parser/rfc5424.rl — one-line fix to sd_raw_values
• rfc5424_gen.go — regenerated via ragel -Z -G2
• rfc5424_test.go / message_test.go — test cases for \\, \", and combined escapes in both parseRFC5424 and parseStructuredData
• processors/syslog_test.go — end-to-end test case for escaped backslash in structured data through the syslog processor
• changelog/fragments/ — changelog fragment for the bug fix

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Syslog Processor] Syslog processor fails to parse the escaped backslash</issue_title>
<issue_description>## Summary

RFC 5424 syslog messages whose structured-data parameter values contain \\ (and similar escapes) could fail to parse in libbeat’s syslog reader (libbeat/reader/syslog). The syslog processor (libbeat/processors/syslog), which uses that reader, was affected the same way.

Root cause

The main RFC5424 parse path captured structured data with a lenient sd_raw scanner that only treated \] as an escape. A lone \ before another character (e.g. the second \ in \\, per RFC 5424 §6.3.3) was invalid in that grammar, so parsing could stop mid-message with an error such as parsing error … unexpected EOF and no log.syslog.structured_data / truncated fields.

Expected behavior

Per RFC 5424 §6.3.3, inside SD-PARAM-VALUE these escapes must be honored: \", \\, \]. Real-world senders (e.g. McAfee EPO-style tenantNodePath="1\\2") should parse successfully end-to-end.

Example payload (fails before fix)

<29>1 2026-03-18T20:12:53.0Z host app - mid [agentInfo@3401 tenantId="1" tenantNodePath="1\\2"] payload
</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Syslog Processor] Syslog processor fails to parse the escaped backslash #49594

---

⌨️ Start Copilot coding agent tasks without leaving your editor — available in VS Code, Visual Studio, JetBrains IDEs and Eclipse.

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @copilot? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[bhapas]

@copilot Add a test under processors/syslog_test.go

[Copilot]

@copilot Add a test under processors/syslog_test.go

Added in f84cf85. The new rfc-5424-sd-with-escaped-backslash test case in processors/syslog_test.go uses the exact payload from the issue (tenantNodePath="1\\2") and verifies the structured data is parsed end-to-end through the processor with the backslash escape correctly unescaped.

[bhapas]

@copilot Add changelog fragment

[Copilot]

@copilot Add changelog fragment

Added in 8e8ce32. The changelog fragment is at changelog/fragments/1774256814-fix-syslog-rfc5424-escaped-backslash.yaml with kind bug-fix and component libbeat.

[elasticmachine]

Pinging @elastic/integration-experience (Team:Integration-Experience)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2d79262e-6a9f-4414-8724-aba13530220b

📥 Commits

Reviewing files that changed from the base of the PR and between 4666186 and c5523c9.

📒 Files selected for processing (6)

• changelog/fragments/1774256814-fix-syslog-rfc5424-escaped-backslash.yaml
• libbeat/processors/syslog/syslog_test.go
• libbeat/reader/syslog/message_test.go
• libbeat/reader/syslog/parser/rfc5424.rl
• libbeat/reader/syslog/rfc5424_gen.go
• libbeat/reader/syslog/rfc5424_test.go

---

📝 Walkthrough

Walkthrough

This PR fixes RFC 5424 syslog message parsing to correctly handle escaped backslashes and quotes in structured-data parameter values. The grammar in rfc5424.rl is updated to recognize \, \", and \] escape sequences as specified in RFC 5424 §6.3.3. The Ragel parser generator regenerates corresponding Go code in rfc5424_gen.go. Test cases are added across three test files—syslog processor tests, syslog message parser tests, and RFC5424 parser tests—covering backslash escaping, quote escaping, and mixed escape scenarios in structured-data values.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	All changes align with issue #49594 requirements: RFC 5424 grammar updated to recognize \"\, \\\\ and \] escapes; parser regenerated; tests added for escaped backslashes, quotes, and combinations; end-to-end syslog processor test included.
Out of Scope Changes check	✅ Passed	All changes directly address the RFC 5424 escape handling fix: grammar rule update, generated parser, targeted test cases, and changelog fragment. No unrelated modifications present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch copilot/fix-syslog-processor-parse-error

• 🛠️ Update Documentation: Commit on current branch
• 🛠️ Update Documentation: Create PR

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[bhapas]

@copilot Fix golangci-lint issues

[Copilot]

@copilot Fix golangci-lint issues

Fixed in 7f5bd8e. The testifylint linter flagged a reversed expected/actual in assert.Equal(t, m.priority, -1) at message_test.go:205 (pre-existing, but surfaced by --whole-files since I touched that file). Changed to assert.Equal(t, -1, m.priority).

[github-actions]

TL;DR

golangci-lint failed in workflow run https://github.com/elastic/beats/actions/runs/23429626826 on all three OS jobs due one testifylint violation in libbeat/reader/syslog/message_test.go:205; swap expected/actual argument order in that assertion and rerun CI.

Remediation

• In libbeat/reader/syslog/message_test.go line 205, change assert.Equal(t, m.priority, -1) to assert.Equal(t, -1, m.priority).
• Re-run golangci-lint (or push and rerun checks) to confirm the lint (ubuntu|windows|macos) jobs pass.

Investigation details

Root Cause

The golangci-lint step fails with testifylint’s expected-actual rule because one assertion has arguments reversed.

Evidence

• Workflow: https://github.com/elastic/beats/actions/runs/23429626826
• Job/step: lint (ubuntu-latest|windows-latest|macos-latest) → golangci-lint
• Key log excerpt:

##[error]libbeat/reader/syslog/message_test.go:205:5: expected-actual: need to reverse actual and expected values (testifylint)
			assert.Equal(t, m.priority, -1)
			^
##[error]issues found

• Same failure reproduced in all three matrix jobs:
  • https://github.com/elastic/beats/actions/runs/23429626826/job/68152451611 (ubuntu)
  • https://github.com/elastic/beats/actions/runs/23429626826/job/68152451588 (windows)
  • https://github.com/elastic/beats/actions/runs/23429626826/job/68152451552 (macos)

Validation

• Local tests/linters not run in this detective pass (read-only triage from CI logs).

Follow-up

• I checked the most recent prior PR Actions Detective report on this PR; that report was for a different failure (check-default / missing license header), so this is a new failure mode and merits a fresh report.

---

What is this? | From workflow: PR Actions Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[taylor-swanson]

This appears to be fixing the same issue as #49392