From 0f3891a2c16186735708a93225ee35f53e44144d Mon Sep 17 00:00:00 2001
From: Daniel Dumitrache <daniel.dumitrache@ecko.ro>
Date: Wed, 11 Oct 2023 20:06:52 +0300
Subject: [PATCH 1/2] Combined KV_PATTERN and QUOTED_KV_PATTERN into single
 regex to match both patterns for quoted and unquoted values

---
 .../syslog4j/server/impl/event/FortiGateSyslogEvent.java | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/src/main/java/org/graylog2/syslog4j/server/impl/event/FortiGateSyslogEvent.java b/src/main/java/org/graylog2/syslog4j/server/impl/event/FortiGateSyslogEvent.java
index 1e69bef..693881f 100644
--- a/src/main/java/org/graylog2/syslog4j/server/impl/event/FortiGateSyslogEvent.java
+++ b/src/main/java/org/graylog2/syslog4j/server/impl/event/FortiGateSyslogEvent.java
@@ -30,8 +30,7 @@
  */
 public class FortiGateSyslogEvent implements SyslogServerEventIF {
     private static final Pattern PRI_PATTERN = Pattern.compile("^<(\\d{1,3})>(.*)$");
-    private static final Pattern KV_PATTERN = Pattern.compile("(\\w+)=([^\\s\"]*)");
-    private static final Pattern QUOTED_KV_PATTERN = Pattern.compile("(\\w+)=\"([^\"]*)\"");
+    private static final Pattern KV_PATTERN = Pattern.compile("(\\w+)=(?:\"([^\"]*)\"|([^\\s\"]*))");
 
     private String rawEvent;
     private ZoneId defaultZoneId;
@@ -87,11 +86,7 @@ private void parseFields(String event) {
         final Map<String, String> fields = new HashMap<>();
         final Matcher matcher = KV_PATTERN.matcher(event);
         while (matcher.find()) {
-            fields.put(matcher.group(1), matcher.group(2));
-        }
-        final Matcher quotedMatcher = QUOTED_KV_PATTERN.matcher(event);
-        while (quotedMatcher.find()) {
-            fields.put(quotedMatcher.group(1), quotedMatcher.group(2));
+            fields.put(matcher.group(1), matcher.group(2) != null ? matcher.group(2) : matcher.group(3));
         }
         setFields(fields);
     }

From d166ca0f40155bce5a7dd729bc307492f4ce082d Mon Sep 17 00:00:00 2001
From: Daniel Dumitrache <daniel.dumitrache@ecko.ro>
Date: Mon, 16 Oct 2023 12:56:26 +0300
Subject: [PATCH 2/2] Fix PRI_PATTERN to also match messages containing a new
 line, also log the message if there's an invalid messge

---
 .../syslog4j/server/impl/event/FortiGateSyslogEvent.java      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/graylog2/syslog4j/server/impl/event/FortiGateSyslogEvent.java b/src/main/java/org/graylog2/syslog4j/server/impl/event/FortiGateSyslogEvent.java
index 693881f..23bd51e 100644
--- a/src/main/java/org/graylog2/syslog4j/server/impl/event/FortiGateSyslogEvent.java
+++ b/src/main/java/org/graylog2/syslog4j/server/impl/event/FortiGateSyslogEvent.java
@@ -29,7 +29,7 @@
  * @see <a href="http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-logging-reporting-54/logs.htm#Log_messages">FortiGate logging and reporting overview</a>
  */
 public class FortiGateSyslogEvent implements SyslogServerEventIF {
-    private static final Pattern PRI_PATTERN = Pattern.compile("^<(\\d{1,3})>(.*)$");
+    private static final Pattern PRI_PATTERN = Pattern.compile("^<(\\d{1,3})>(.*)");
     private static final Pattern KV_PATTERN = Pattern.compile("(\\w+)=(?:\"([^\"]*)\"|([^\\s\"]*))");
 
     private String rawEvent;
@@ -59,7 +59,7 @@ private void initialize(final String rawEvent, DateTimeZone sysLogServerTimeZone
     private void parse(String event) {
         final Matcher matcher = PRI_PATTERN.matcher(event);
         if (!matcher.find()) {
-            throw new IllegalArgumentException("Invalid Fortigate syslog message");
+            throw new IllegalArgumentException("Invalid Fortigate syslog message: " + event);
         } else {
             final String priority = matcher.group(1);
             final String message = matcher.group(2);