Fix memory leak issues causing OOM after prolonged operation

src/main/java/com/wizecore/graylog2/plugin/CEFSender.java

@@ -12,8 +12,8 @@
 
 /*
  * http://blog.rootshell.be/2011/05/11/ossec-speaks-arcsight/
- * 
- * 
+ *
+ *
  * CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
 
 CEF:0|ArcSight|Logger|5.0.0.5355.2|sensor:115|Logger Internal Event|1|\
@@ -23,9 +23,20 @@
  */
 public class CEFSender implements MessageSender {
 
+	/**
+	 * ThreadLocal StringBuilder to avoid allocating new StringBuilder on every message
+	 */
+	private static final ThreadLocal<StringBuilder> STRING_BUILDER_CACHE = new ThreadLocal<StringBuilder>() {
+		@Override
+		protected StringBuilder initialValue() {
+			return new StringBuilder(512);
+		}
+	};
+
 	@Override
 	public void send(SyslogIF syslog, int level, Message msg) {
-		StringBuilder out = new StringBuilder();
+		StringBuilder out = STRING_BUILDER_CACHE.get();
+		out.setLength(0);
 
 		// Header:
 		// CEF:Version|Device Vendor|Device Product|Device Version|

src/main/java/com/wizecore/graylog2/plugin/FullSender.java

@@ -13,7 +13,7 @@
 
 /**
  * Sends full message to Syslog.
- * 
+ *
  * <165>1 2003-10-11T22:14:15.003Z mymachine.example.com
            evntslog - ID47 [exampleSDID@0 iut="3" eventSource=
            "Application" eventID="1011"] BOMAn application
@@ -23,21 +23,44 @@
 public class FullSender implements MessageSender {
 	private Logger log = Logger.getLogger(FullSender.class.getName());
 
+	/**
+	 * ThreadLocal HashMap to avoid allocating new HashMaps on every message
+	 */
+	private static final ThreadLocal<Map<String, String>> SD_PARAMS_CACHE = new ThreadLocal<Map<String, String>>() {
+		@Override
+		protected Map<String, String> initialValue() {
+			return new HashMap<String, String>();
+		}
+	};
+
+	/**
+	 * ThreadLocal HashMap for structured data to avoid allocating new HashMaps on every message
+	 */
+	private static final ThreadLocal<Map<String, Map<String, String>>> SD_CACHE = new ThreadLocal<Map<String, Map<String, String>>>() {
+		@Override
+		protected Map<String, Map<String, String>> initialValue() {
+			return new HashMap<String, Map<String, String>>();
+		}
+	};
+
 	@Override
-	public void send(SyslogIF syslog, int level, Message msg) {		
-		Map<String, String> sdParams = new HashMap<String, String>();
+	public void send(SyslogIF syslog, int level, Message msg) {
+		Map<String, String> sdParams = SD_PARAMS_CACHE.get();
+		sdParams.clear();
+
 		Map<String, Object> fields = msg.getFields();
 		for (String key: fields.keySet()) {
 			if (key != Message.FIELD_MESSAGE && key != Message.FIELD_FULL_MESSAGE && key != Message.FIELD_SOURCE) {
 				sdParams.put(key, fields.get(key).toString());
 			}
 		}
-		
+
 		// http://www.iana.org/assignments/enterprise-numbers/enterprise-numbers
 		// <name>@<enterpriseId>
 		String sdId = "all@0";
 		// log.info("Sending " + level + ", " + msg.getId() + ", " + msg.getSource() + ", " + sdId + "=" + sdParams + ", " + msg.getMessage());
-		Map<String,Map<String,String>> sd = new HashMap<String, Map<String,String>>();
+		Map<String,Map<String,String>> sd = SD_CACHE.get();
+		sd.clear();
 		sd.put(sdId, sdParams);
 
 		String msgId = null;		
@@ -65,8 +88,19 @@ public void send(SyslogIF syslog, int level, Message msg) {
 		syslog.log(level, new StructuredSyslogMessage(msgId, sourceId, sd, dumpMessage(msg)));
 	}
 
+	/**
+	 * ThreadLocal StringBuilder for dumpMessage to avoid allocations
+	 */
+	private static final ThreadLocal<StringBuilder> DUMP_MESSAGE_BUILDER = new ThreadLocal<StringBuilder>() {
+		@Override
+		protected StringBuilder initialValue() {
+			return new StringBuilder(512);
+		}
+	};
+
 	public static String dumpMessage(Message msg) {
-		final StringBuilder sb = new StringBuilder();
+		final StringBuilder sb = DUMP_MESSAGE_BUILDER.get();
+		sb.setLength(0);
         sb.append("source: ").append(msg.getField(Message.FIELD_SOURCE)).append(" | ");
 
         Object text = msg.getField(Message.FIELD_FULL_MESSAGE);

src/main/java/com/wizecore/graylog2/plugin/PlainSender.java

@@ -11,46 +11,68 @@
 import org.graylog2.syslog4j.SyslogIF;
 
 /**
- * Formats fields into message text 
- * 
+ * Formats fields into message text
+ *
 
         <34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - ID47 - BOM'su root' failed for lonvick on /dev/pts/8
          ^priority
          	^ version
-         	  ^ date 
+         	  ^ date
          	  						   ^ host
          	  						   						 ^ APP-NAME
          	  						   						 	^ structured data?
-         	  						   						 	  ^ MSGID 
-         	  						   						 	  	    
+         	  						   						 	  ^ MSGID
+
  */
 public class PlainSender implements MessageSender {
 	private Logger log = Logger.getLogger(PlainSender.class.getName());
 
 	public static final String SYSLOG_DATEFORMAT = "MMM dd HH:mm:ss";
-
+
+	/**
+	 * ThreadLocal SimpleDateFormat to avoid creating new instances on every message
+	 * and avoid synchronization issues (SimpleDateFormat is not thread-safe)
+	 */
+	private static final ThreadLocal<SimpleDateFormat> DATE_FORMAT = new ThreadLocal<SimpleDateFormat>() {
+		@Override
+		protected SimpleDateFormat initialValue() {
+			return new SimpleDateFormat(SYSLOG_DATEFORMAT, Locale.ENGLISH);
+		}
+	};
+
+	/**
+	 * ThreadLocal StringBuilder to avoid allocating new StringBuilder on every message
+	 */
+	private static final ThreadLocal<StringBuilder> STRING_BUILDER_CACHE = new ThreadLocal<StringBuilder>() {
+		@Override
+		protected StringBuilder initialValue() {
+			return new StringBuilder(256);
+		}
+	};
+
 	/**
 	 * From syslog4j
-	 * 
+	 *
 	 * @param dt
 	 * @return
 	 */
 	public static void appendSyslogTimestamp(Date dt, StringBuilder buffer) {
-		SimpleDateFormat dateFormat = new SimpleDateFormat(SYSLOG_DATEFORMAT,Locale.ENGLISH);		
-		String datePrefix = dateFormat.format(dt);	
-		
-		int pos = buffer.length() + 4;		
+		SimpleDateFormat dateFormat = DATE_FORMAT.get();
+		String datePrefix = dateFormat.format(dt);
+
+		int pos = buffer.length() + 4;
 		buffer.append(datePrefix);
-	
+
 		//  RFC 3164 requires leading space for days 1-9
 		if (buffer.charAt(pos) == '0') {
 			buffer.setCharAt(pos,' ');
 		}
 	}
-	
+
 	@Override
 	public void send(SyslogIF syslog, int level, Message msg) {
-		StringBuilder out = new StringBuilder();
+		StringBuilder out = STRING_BUILDER_CACHE.get();
+		out.setLength(0);
 		appendHeader(msg, out);
 		out.append(msg.getMessage());
 		String str = out.toString();

src/main/java/com/wizecore/graylog2/plugin/SnareWindowsSender.java

@@ -28,32 +28,64 @@ public class SnareWindowsSender implements MessageSender {
 	public static final String SYSLOG_DATEFORMAT = "MMM dd HH:mm:ss";
   public static final String MSEVENT_DATEFORMAT = "EEE MMM dd HH:mm:ss yyyy";
 	public static final String SEPARATOR = "\t";
+
+	/**
+	 * ThreadLocal SimpleDateFormat to avoid creating new instances on every message
+	 * and avoid synchronization issues (SimpleDateFormat is not thread-safe)
+	 */
+	private static final ThreadLocal<SimpleDateFormat> SYSLOG_DATE_FORMAT = new ThreadLocal<SimpleDateFormat>() {
+		@Override
+		protected SimpleDateFormat initialValue() {
+			return new SimpleDateFormat(SYSLOG_DATEFORMAT, Locale.ENGLISH);
+		}
+	};
+
+	/**
+	 * ThreadLocal SimpleDateFormat for MS Event timestamp
+	 */
+	private static final ThreadLocal<SimpleDateFormat> MSEVENT_DATE_FORMAT = new ThreadLocal<SimpleDateFormat>() {
+		@Override
+		protected SimpleDateFormat initialValue() {
+			return new SimpleDateFormat(MSEVENT_DATEFORMAT, Locale.ENGLISH);
+		}
+	};
+
+	/**
+	 * ThreadLocal StringBuilder to avoid allocating new StringBuilder on every message
+	 */
+	private static final ThreadLocal<StringBuilder> STRING_BUILDER_CACHE = new ThreadLocal<StringBuilder>() {
+		@Override
+		protected StringBuilder initialValue() {
+			return new StringBuilder(512);
+		}
+	};
+
 	/**
 	 * From syslog4j
-	 * 
+	 *
 	 * @param dt
 	 * @return
 	 */
 	public static void appendSyslogTimestamp(Date dt, StringBuilder buffer) {
-		SimpleDateFormat dateFormat = new SimpleDateFormat(SYSLOG_DATEFORMAT,Locale.ENGLISH);		
-		String datePrefix = dateFormat.format(dt);	
-		
-		int pos = buffer.length() + 4;		
+		SimpleDateFormat dateFormat = SYSLOG_DATE_FORMAT.get();
+		String datePrefix = dateFormat.format(dt);
+
+		int pos = buffer.length() + 4;
 		buffer.append(datePrefix);
-	
+
 		//  RFC 3164 requires leading space for days 1-9
 		if (buffer.charAt(pos) == '0') {
 			buffer.setCharAt(pos,' ');
 		}
 	}
 
 	public static void appendMSEventTimestamp(Date dt, StringBuilder buffer) {
-		SimpleDateFormat dateFormat = new SimpleDateFormat(MSEVENT_DATEFORMAT,Locale.ENGLISH);		
-		String datePrefix = dateFormat.format(dt);	
-		
-		int pos = buffer.length() + 4;		
+		SimpleDateFormat dateFormat = MSEVENT_DATE_FORMAT.get();
+		String datePrefix = dateFormat.format(dt);
+
+		int pos = buffer.length() + 4;
 		buffer.append(datePrefix);
-	
+
 		//  RFC 3164 requires leading space for days 1-9
 		if (buffer.charAt(pos) == '0') {
 			buffer.setCharAt(pos,' ');
@@ -62,7 +94,8 @@ public static void appendMSEventTimestamp(Date dt, StringBuilder buffer) {
 
 	@Override
 	public void send(SyslogIF syslog, int level, Message msg) {
-		StringBuilder out = new StringBuilder();
+		StringBuilder out = STRING_BUILDER_CACHE.get();
+		out.setLength(0);
 		//appendHeader(msg, out);
 
 

src/main/java/com/wizecore/graylog2/plugin/StructuredSender.java

@@ -10,7 +10,7 @@
 
 /**
  * https://tools.ietf.org/html/rfc5424
- * 
+ *
  * <165>1 2003-10-11T22:14:15.003Z mymachine.example.com
            evntslog - ID47 [exampleSDID@0 iut="3" eventSource=
            "Application" eventID="1011"] BOMAn application
@@ -20,21 +20,44 @@
 public class StructuredSender implements MessageSender {
 	private Logger log = Logger.getLogger(StructuredSender.class.getName());
 
+	/**
+	 * ThreadLocal HashMap to avoid allocating new HashMaps on every message
+	 */
+	private static final ThreadLocal<Map<String, String>> SD_PARAMS_CACHE = new ThreadLocal<Map<String, String>>() {
+		@Override
+		protected Map<String, String> initialValue() {
+			return new HashMap<String, String>();
+		}
+	};
+
+	/**
+	 * ThreadLocal HashMap for structured data to avoid allocating new HashMaps on every message
+	 */
+	private static final ThreadLocal<Map<String, Map<String, String>>> SD_CACHE = new ThreadLocal<Map<String, Map<String, String>>>() {
+		@Override
+		protected Map<String, Map<String, String>> initialValue() {
+			return new HashMap<String, Map<String, String>>();
+		}
+	};
+
 	@Override
-	public void send(SyslogIF syslog, int level, Message msg) {		
-		Map<String, String> sdParams = new HashMap<String, String>();
+	public void send(SyslogIF syslog, int level, Message msg) {
+		Map<String, String> sdParams = SD_PARAMS_CACHE.get();
+		sdParams.clear();
+
 		Map<String, Object> fields = msg.getFields();
 		for (String key: fields.keySet()) {
 			if (key != Message.FIELD_MESSAGE && key != Message.FIELD_FULL_MESSAGE && key != Message.FIELD_SOURCE) {
 				sdParams.put(key, fields.get(key).toString());
 			}
 		}
-		
+
 		// http://www.iana.org/assignments/enterprise-numbers/enterprise-numbers
 		// <name>@<enterpriseId>
 		String sdId = "all@0";
 		// log.info("Sending " + level + ", " + msg.getId() + ", " + msg.getSource() + ", " + sdId + "=" + sdParams + ", " + msg.getMessage());
-		Map<String,Map<String,String>> sd = new HashMap<String, Map<String,String>>();
+		Map<String,Map<String,String>> sd = SD_CACHE.get();
+		sd.clear();
 		sd.put(sdId, sdParams);
 
 		String msgId = null;		

src/main/java/com/wizecore/graylog2/plugin/TransparentSyslogSender.java

@@ -23,6 +23,27 @@ public class TransparentSyslogSender implements MessageSender {
 
 	public static final String SYSLOG_DATEFORMAT = "MMM dd HH:mm:ss";
 
+	/**
+	 * ThreadLocal SimpleDateFormat to avoid creating new instances on every message
+	 * and avoid synchronization issues (SimpleDateFormat is not thread-safe)
+	 */
+	private static final ThreadLocal<SimpleDateFormat> DATE_FORMAT = new ThreadLocal<SimpleDateFormat>() {
+		@Override
+		protected SimpleDateFormat initialValue() {
+			return new SimpleDateFormat(SYSLOG_DATEFORMAT, Locale.ENGLISH);
+		}
+	};
+
+	/**
+	 * ThreadLocal StringBuilder to avoid allocating new StringBuilder on every message
+	 */
+	private static final ThreadLocal<StringBuilder> STRING_BUILDER_CACHE = new ThreadLocal<StringBuilder>() {
+		@Override
+		protected StringBuilder initialValue() {
+			return new StringBuilder(256);
+		}
+	};
+
 	public TransparentSyslogSender(Configuration conf) {
 		removeHeader = conf.getBoolean("transparentFormatRemoveHeader");
 	}
@@ -35,7 +56,7 @@ public TransparentSyslogSender(Configuration conf) {
 	 * @return
 	 */
 	public static void appendSyslogTimestamp(Message msg, StringBuilder buffer) {
-		SimpleDateFormat dateFormat = new SimpleDateFormat(SYSLOG_DATEFORMAT, Locale.ENGLISH);
+		SimpleDateFormat dateFormat = DATE_FORMAT.get();
 
 		Date dt = null;
 		Object ts = msg.getField("timestamp");
@@ -170,7 +191,8 @@ protected void appendPriority(Message msg, int level, StringBuilder out) {
 
 	@Override
 	public void send(SyslogIF syslog, int level, Message msg) {
-		StringBuilder out = new StringBuilder();
+		StringBuilder out = STRING_BUILDER_CACHE.get();
+		out.setLength(0);
 		if (!removeHeader) {
 			appendHeader(msg, level, out);
 		}