fix(syslog source): parse network device syslog variants

[vitalvas]

Summary

Fix syslog parsing for common network device variants across the syslog source, syslog codec, and VRL parse_syslog.

This adds parser-side support for:

• RFC3339, RFC3164, and RFC5424 syslog messages.
• Year-first RFC3164-like timestamps, for example 2026 Jun 18 04:24:32.
• Comma-separated timestamps, for example YYYY-MM-DD,HH:MM:SS.
• PRI-only network messages without timestamps.
• RFC3164 leap-day messages without a year.
• Multi-line message bodies without requiring VRL strip_whitespace! or replace(...) workarounds.
• NUL-padded frames, including JSON-decoded \u0000.

Added sanitized regression tests for the syslog source, syslog codec, and VRL parse_syslog, covering Cisco, Juniper, Huawei, ZTE, Arista, Dell, MikroTik, Raisecom-like, OLT/EPON, PRI-only, leap-day, multi-line, and NUL-padded syslog samples.

Vector configuration

syslog source:

sources:
  s_syslog_netdev:
    type: syslog
    mode: udp
    address: "0.0.0.0:514"

socket source with VRL parsing:

sources:
  s_syslog_netdev:
    type: socket
    mode: udp
    address: "0.0.0.0:514"

transforms:
  t_parse_syslog:
    type: remap
    inputs:
      - s_syslog_netdev
    source: |
      parsed, err = parse_syslog(.message)
      if err == null {
        . |= parsed
      } else {
        .parse_error = err
      }

The .parse_error field above is created only by the example remap transform. The syslog source does not emit .parse_error.

How did you test this PR?

• cargo fmt --check
• ./scripts/check_changelog_fragments.sh
• cargo test -p vector-vrl-functions parse_syslog
• cargo test -p vector-vrl-functions
• cargo test -p codecs --features syslog deserialize_syslog_
• cargo test -p codecs --features syslog
• cargo test -p vector sources::syslog::test::syslog_source_parses_network_device_multiline_message

make check-clippy was attempted but fails on an unrelated existing lint in lib/vector-config/src/schema/visitors/merge.rs.

Change Type

• Bug fix
• New feature
• Dependencies
• Non-functional (chore, refactoring, docs)
• Performance

Is this a breaking change?

• Yes
• No

Does this PR include user facing changes?

• Yes. Please add a changelog fragment based on our guidelines.
• No. A maintainer will apply the no-changelog label to this PR.

References

Notes

• Please read our Vector contributor resources.
• Do not hesitate to use @vectordotdev/vector to reach out to us regarding this PR.
• Some CI checks run only after we manually approve them.
  • We recommend adding a pre-push hook, please see this template.
  • Alternatively, we recommend running the following locally before pushing to the remote branch:
    • make fmt
    • make check-clippy (if there are failures it's possible some of them can be fixed with make clippy-fix)
    • make test
• After a review is requested, please avoid force pushes to help us review incrementally.
  • Feel free to push as many commits as you want. They will be squashed into one before merging.
  • For example, you can run git merge origin master and git push.
• If this PR introduces changes Vector dependencies (modifies Cargo.lock), please
  run make build-licenses to regenerate the license inventory and commit the changes (if any). More details on the dd-rust-license-tool.

[thomasqueirozb]

Since this function doesn't depend on any Vector-specific functionality it should live inside the VRL repo instead. Please open a PR over at https://github.com/vectordotdev/vrl with these changes