<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">I'm not exactly sure what is or is not
permitted in the pattern database but I two comments.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">1. you need end your rule tag and your
rules tag before you start a new ruleset tag.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">2. What I do in my pattern database is
of the form.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><ruleset
id="f582419b3baa42d4a57e42b89704e38c" description=""><br>
<pattern>proxysg</pattern><br>
<rules><br>
<rule id="f582419b3baa42d4a57e42b89704e38c"><br>
<patterns><br>
<pattern>foo</pattern><br>
</patterns></div>
<div class="moz-cite-prefix"> </rule><br>
<rule id="bb169f917216467985cc16e28015f5fa"><br>
<patterns><br>
<pattern>bar</pattern><br>
</patterns><br>
</div>
<div class="moz-cite-prefix"> </rules></div>
<div class="moz-cite-prefix"></ruleset></div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Note:</div>
<div class="moz-cite-prefix">1. the closing tag of </rule>
before a new starting tag of <rule><br>
</div>
<div class="moz-cite-prefix">2. Multiple "rule" entries inside the
the "rules" entry.</div>
<div class="moz-cite-prefix">3. the closing tag of </rule>
before the closing tag of </rules><br>
</div>
<div class="moz-cite-prefix">4. the closing tag of </rules>
before the closing tag of </ruleset><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">I hope that helps.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Evan.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 2/15/20 12:43 AM, Nitish Saboo
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CALjMrq6zQCnOdgvE1M4bEu-qB7UMyypEkWa787D3drckfduWow@mail.gmail.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div dir="ltr">Hi,<br>
<br>
After debugging further into the issue looks like there was a
fix for patterndb rule clash in syslog-ng-3.8 and this is the
commit-id '12cd960c8f47260b0b0d4154b096994d66fe345'<br>
for the fix. And for this reason I am getting the following
error for same default.xml in syslog-ng-3.25.1 version and not
in syslog-ng3.6.2 and syslog-ng3.7.1.<br>
<br>
2020-02-13T10:47:29.631090] Error parsing pattern database file;
filename='/home/nsaboo/abc/default.xml',
error='/home/nsaboo/abc/default.xml:17274:22: Joining rulesets
with mismatching program name sets, program=proxysg'.<br>
<br>
Snippet from default.xml<br>
==========================<br>
<br>
<ruleset id="f582419b3baa42d4a57e42b89704e38c"
description=""><br>
<pattern>proxysg</pattern><br>
<rules><br>
<rule id="f582419b3baa42d4a57e42b89704e38c"><br>
<patterns><br>
<pattern>foo</pattern><br>
</patterns><br>
<br>
<ruleset id="8d633c824e844a559088d803464e507a"
description=""><br>
<pattern>ProxySG</pattern><br>
<pattern>proxysg</pattern><br>
<rules><br>
<rule id="bb169f917216467985cc16e28015f5fa"><br>
<patterns><br>
<pattern>bar</pattern><br>
</patterns><br>
<br>
I am not able to understand the error message clearly.<br>
<br>
1) Can someone please help me understand the issue here ?<br>
<br>
2) Is the issue seen because a ruleset has multiple programs in
it or is it because the same program 'proxysg' is being used in
different rulesets ?<br>
<br>
3) From the above snippet of default.xml, what changes can I
make into default.xml to avoid the error ?<br>
<br>
4) Is there a workaround for this issue ?<br>
<br>
Thanks,<br>
Nitish<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, Feb 14, 2020 at 2:40
PM Nitish Saboo <<a href="mailto:nitish.saboo55@gmail.com"
moz-do-not-send="true">nitish.saboo55@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Hi Attila,
<div><br>
</div>
<div>Thanks for your response.</div>
<div><br>
</div>
<div>And what about the following error:</div>
<div><br>
</div>
<div>2020-02-13T10:47:29.631090] Error parsing pattern
database file; filename='/home/nsaboo/abc/default.xml',
error='/home/nsaboo/abc/default.xml:17274:22: Joining
rulesets with mismatching program name sets,
program=proxysg'.<br>
</div>
<div><br>
</div>
<div>The same default.xml file was getting loaded correctly
in syslog-ng-3.6.2 and syslog-ng-3.7.1 but getting
following error while loading same default.xml in
syslog-ng3.25.1 <br>
</div>
<div><br>
</div>
<div>I came across a similar issue on githib '<a
href="https://github.com/syslog-ng/syslog-ng/issues/2763"
target="_blank" moz-do-not-send="true">https://github.com/syslog-ng/syslog-ng/issues/2763</a>'
.I see the issue is still in open state.Is there a
workaround for this issue?</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Nitish</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, Feb 14, 2020 at
1:12 PM Attila Szakacs (aszakacs) <<a
href="mailto:Attila.Szakacs@oneidentity.com"
target="_blank" moz-do-not-send="true">Attila.Szakacs@oneidentity.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">Hi!</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><br>
</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span
style="font-size:15px;color:rgb(0,0,0);background-color:rgb(255,255,255);display:inline">WARNING:
due to a bug in versions before syslog-ng 3.8numeric
comparison operators like '!=' in filter expressions
were evaluated as string operators. This is fixed in
syslog-ng 3.8. As we are operating in compatibility
mode, syslog-ng will exhibit the buggy behaviour as
previous versions until you bump the @version value
in your configuration file;</span><br>
</div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span
style="font-size:15px;color:rgb(0,0,0);background-color:rgb(255,255,255);display:inline"><br>
</span></div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span
style="font-size:15px;color:rgb(0,0,0);background-color:rgb(255,255,255);display:inline">^^^
This refers to the syslog-ng.conf file version.</span></div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span
style="font-size:15px;color:rgb(0,0,0);background-color:rgb(255,255,255);display:inline"><br>
</span></div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span
style="font-size:15px;color:rgb(0,0,0);background-color:rgb(255,255,255);display:inline">The
correct way to resolve it, and fix the buggy
behavior of != and ==, should be to change the !=
operators between strings to neq in your filters.</span></div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span
style="font-size:15px;color:rgb(0,0,0);background-color:rgb(255,255,255);display:inline"><br>
</span></div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span
style="font-size:15px;color:rgb(0,0,0);background-color:rgb(255,255,255);display:inline">Regards,</span></div>
<div
style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span
style="font-size:15px;color:rgb(0,0,0);background-color:rgb(255,255,255);display:inline">Attila</span></div>
<hr style="display:inline-block;width:98%">
<div
id="gmail-m_-4344772350534607013gmail-m_8775657109126722619divRplyFwdMsg"
dir="ltr"><font style="font-size:11pt" face="Calibri,
sans-serif" color="#000000"><b>From:</b> syslog-ng
<<a
href="mailto:syslog-ng-bounces@lists.balabit.hu"
target="_blank" moz-do-not-send="true">syslog-ng-bounces@lists.balabit.hu</a>>
on behalf of Nitish Saboo <<a
href="mailto:nitish.saboo55@gmail.com"
target="_blank" moz-do-not-send="true">nitish.saboo55@gmail.com</a>><br>
<b>Sent:</b> Thursday, February 13, 2020 12:17 PM<br>
<b>To:</b> Syslog-ng users' and developers' mailing
list <<a href="mailto:syslog-ng@lists.balabit.hu"
target="_blank" moz-do-not-send="true">syslog-ng@lists.balabit.hu</a>><br>
<b>Subject:</b> [syslog-ng] Warnings and error while
loading default.xml in syslog-ng-3.25.1</font>
<div> </div>
</div>
<div>
<div>
<div dir="ltr">Hi,<br>
<br>
I am using syslog-ng version 3.25.1.Getting
following Warnings and error while initialising
syslog-ng engine:<br>
<br>
[2020-02-13T10:47:29.627899] WARNING: due to a bug
in versions before syslog-ng 3.8numeric comparison
operators like '!=' in filter expressions were
evaluated as string operators. This is fixed in
syslog-ng 3.8. As we are operating in
compatibility mode, syslog-ng will exhibit the
buggy behaviour as previous versions until you
bump the @version value in your configuration
file;<br>
[2020-02-13T10:47:29.627968] WARNING: due to a bug
in versions before syslog-ng 3.8numeric comparison
operators like '!=' in filter expressions were
evaluated as string operators. This is fixed in
syslog-ng 3.8. As we are operating in
compatibility mode, syslog-ng will exhibit the
buggy behaviour as previous versions until you
bump the @version value in your configuration
file;<br>
[2020-02-13T10:47:29.628059] WARNING: due to a bug
in versions before syslog-ng 3.8numeric comparison
operators like '!=' in filter expressions were
evaluated as string operators. This is fixed in
syslog-ng 3.8. As we are operating in
compatibility mode, syslog-ng will exhibit the
buggy behaviour as previous versions until you
bump the @version value in your configuration
file;<br>
[2020-02-13T10:47:29.631090] Error parsing pattern
database file;
filename='/opt/tap-parsing/patterns/default.xml',
error='/opt/tap-parsing/patterns/default.xml:17274:22: Joining rulesets
with mismatching program name sets,
program=proxysg'<br>
<br>
<br>
1)For the following warnings, to which version I
have to bump up the configuration file ?<br>
<br>
2020-02-13T10:47:29.627899] WARNING: due to a bug
in versions before syslog-ng 3.8numeric comparison
operators like '!=' in filter expressions were
evaluated as string operators. This is fixed in
syslog-ng 3.8. As we are operating in
compatibility mode, syslog-ng will exhibit the
buggy behaviour as previous versions until you
bump the @version value in your configuration
file;<br>
[2020-02-13T10:47:29.627968] WARNING: due to a bug
in versions before syslog-ng 3.8numeric comparison
operators like '!=' in filter expressions were
evaluated as string operators. This is fixed in
syslog-ng 3.8. As we are operating in
compatibility mode, syslog-ng will exhibit the
buggy behaviour as previous versions until you
bump the @version value in your configuration
file;<br>
[2020-02-13T10:47:29.628059] WARNING: due to a bug
in versions before syslog-ng 3.8numeric comparison
operators like '!=' in filter expressions were
evaluated as string operators. This is fixed in
syslog-ng 3.8. As we are operating in
compatibility mode, syslog-ng will exhibit the
buggy behaviour as previous versions until you
bump the @version value in your configuration
file;<br>
<br>
Currrently the configuration version is the
following:<br>
<br>
configuration = cfg_new(0x0302)<br>
<br>
Do I have to change it to '0x0319' as defined in
'lib/versioning.h' ?<br>
<br>
2)The same default.xml file was getting loaded
correctly in syslog-ng-3.6.2 and syslog-ng-3.7.1
but getting following error while loading same
default.xml in syslog-ng3.25.1 <br>
<br>
<br>
2020-02-13T10:47:29.631090] Error parsing pattern
database file;
filename='/home/nsaboo/abc/default.xml',
error='/home/nsaboo/abc/default.xml:17274:22:
Joining rulesets with mismatching program name
sets, program=proxysg'.<br>
<br>
What can be the reason for this error ?
<div><br>
<br>
Thanks,<br>
Nitish</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>