syslog source: allow manual timezone specification for BSD syslog messages

[woodsb02]

A note for the community

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Use Cases

BSD syslog messages (rfc3164) include the timestamp field in the format "Mmm dd hh:mm:ss".
The messages do not include a timezone specification, but are supposed to be in the local timezone of the sending device.

However, the sending device may not be in the same timezone as the receiving vector agent.
Also, some devices implement this incorrectly and use UTC for this timestamp.

This creates a need to adjust the timestamp field to adjust the timezone interpretted.

Attempted Solutions

The below transform works, however it's not as convenient as a single line to specify the timezone in the source.

transforms:
  timezone_remap:
    type: remap
    inputs:
      - device-using-bsd-syslog-with-UTC-timestamp
    source: |-
      .timestamp = from_unix_timestamp!(to_unix_timestamp!(.timestamp) + 28800)

Proposal

1. It would be helpful if the syslog source could include an optional configuration setting "timezone" that allows the user to specify what timezone the timestamp should be interpretted as.

Example:

sources:
  device-using-bsd-syslog-with-UTC-timestamp:
    type: syslog
    address: 0.0.0.0:5144
    mode: udp
    timezone: UTC

2. I also propose the same optional "timezone" parameter is also added to the parse_syslog vrl function.

parse_syslog(value: <string> , [timezone: <string> ])
:: <object> , <error>

References

#3234
#4710
https://datatracker.ietf.org/doc/html/rfc3164#section-4.1.2
https://vector.dev/docs/reference/configuration/sources/syslog/
https://vector.dev/docs/reference/vrl/functions/#parse_syslog

Version

vector 0.44.0 (x86_64-unknown-linux-gnu)