<div dir="ltr"><div dir="ltr">Hi Evan,<div><br></div><div>Apologies for the confusion but I did close the rule tag in my default.xml , missed adding it here.</div><div>The error does not seem to be related to improper closing of tags.<br><br>This is how it looks :<br><br><ruleset id="f582419b3baa42d4a57e42b89704e38c" description=""><br> <pattern>proxysg</pattern><br> <rules><br> <rule id="f1e2bfd7bb85402a88d0b732821a0f94"><br> <patterns><br> <pattern>foo</pattern><br> </patterns><br> </rule></div><div> <rule id="a681963842014480a83a2a2e38875439"><br> <patterns><br> <pattern>anything</pattern><br> </patterns><br> </rule><br> </rules><br></ruleset><br><ruleset id="17fae6edff32a53f9f294ab21240fc2641e7a4db" description=""><br> <pattern>ProxySG</pattern><br> <pattern>proxysg</pattern><br> <rules><br> <rule id="bb169f917216467985cc16e28015f5fa"><br> <patterns><br> <pattern>bar</pattern><br> </patterns><br> </rule></div><div> <rule id="94d4a0c324c8-44a88cf3d4640477d35e"><br> <patterns><br> <pattern>something</pattern><br> </patterns><br> </rule><br> </rules><br> </ruleset><br></div><div><br></div><div><br></div><div>I am getting the following error message:<br><br> 2020-02-13T10:47:29.631090] Error parsing pattern database file; filename='/home/nsaboo/abc/default.xml', error='/home/nsaboo/abc/default.xml:17274:22: Joining rulesets with mismatching program name sets, program=proxysg'.<br><br>My hunch is the issue is related to merging of two rulesets but I am not able to understand why is there mismatching of program names.</div><div><br></div><div> 1) Can someone please help me understand the issue here ?<br><br> 2) Is the issue seen because a ruleset has multiple programs in it or is it because the same program 'proxysg' is being used in different rulesets ?<br><br> 3) From the above snippet of default.xml, what changes can I make into default.xml to avoid the error ?<br><br> 4) Is there a workaround for this issue ?<br><br> Thanks,<br> Nitish<br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Feb 16, 2020 at 12:40 AM Evan Rempel <<a href="mailto:erempel@uvic.ca">erempel@uvic.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div>I'm not exactly sure what is or is not
permitted in the pattern database but I two comments.</div>
<div><br>
</div>
<div>1. you need end your rule tag and your
rules tag before you start a new ruleset tag.</div>
<div><br>
</div>
<div>2. What I do in my pattern database is
of the form.</div>
<div><br>
</div>
<div><ruleset
id="f582419b3baa42d4a57e42b89704e38c" description=""><br>
<pattern>proxysg</pattern><br>
<rules><br>
<rule id="f582419b3baa42d4a57e42b89704e38c"><br>
<patterns><br>
<pattern>foo</pattern><br>
</patterns></div>
<div> </rule><br>
<rule id="bb169f917216467985cc16e28015f5fa"><br>
<patterns><br>
<pattern>bar</pattern><br>
</patterns><br>
</div>
<div> </rules></div>
<div></ruleset></div>
<div><br>
</div>
<div><br>
</div>
<div>Note:</div>
<div>1. the closing tag of </rule>
before a new starting tag of <rule><br>
</div>
<div>2. Multiple "rule" entries inside the
the "rules" entry.</div>
<div>3. the closing tag of </rule>
before the closing tag of </rules><br>
</div>
<div>4. the closing tag of </rules>
before the closing tag of </ruleset><br>
</div>
<div><br>
</div>
<div>I hope that helps.</div>
<div><br>
</div>
<div>Evan.<br>
</div>
<div><br>
</div>
<div>On 2/15/20 12:43 AM, Nitish Saboo
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi,<br>
<br>
After debugging further into the issue looks like there was a
fix for patterndb rule clash in syslog-ng-3.8 and this is the
commit-id '12cd960c8f47260b0b0d4154b096994d66fe345'<br>
for the fix. And for this reason I am getting the following
error for same default.xml in syslog-ng-3.25.1 version and not
in syslog-ng3.6.2 and syslog-ng3.7.1.<br>
<br>
2020-02-13T10:47:29.631090] Error parsing pattern database file;
filename='/home/nsaboo/abc/default.xml',
error='/home/nsaboo/abc/default.xml:17274:22: Joining rulesets
with mismatching program name sets, program=proxysg'.<br>
<br>
Snippet from default.xml<br>
==========================<br>
<br>
<ruleset id="f582419b3baa42d4a57e42b89704e38c"
description=""><br>
<pattern>proxysg</pattern><br>
<rules><br>
<rule id="f582419b3baa42d4a57e42b89704e38c"><br>
<patterns><br>
<pattern>foo</pattern><br>
</patterns><br>
<br>
<ruleset id="8d633c824e844a559088d803464e507a"
description=""><br>
<pattern>ProxySG</pattern><br>
<pattern>proxysg</pattern><br>
<rules><br>
<rule id="bb169f917216467985cc16e28015f5fa"><br>
<patterns><br>
<pattern>bar</pattern><br>
</patterns><br>
<br>
I am not able to understand the error message clearly.<br>
<br>
1) Can someone please help me understand the issue here ?<br>
<br>
2) Is the issue seen because a ruleset has multiple programs in
it or is it because the same program 'proxysg' is being used in
different rulesets ?<br>
<br>
3) From the above snippet of default.xml, what changes can I
make into default.xml to avoid the error ?<br>
<br>
4) Is there a workaround for this issue ?<br>
<br>
Thanks,<br>
Nitish<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, Feb 14, 2020 at 2:40
PM Nitish Saboo <<a href="mailto:nitish.saboo55@gmail.com" target="_blank">nitish.saboo55@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Hi Attila,
<div><br>
</div>
<div>Thanks for your response.</div>
<div><br>
</div>
<div>And what about the following error:</div>
<div><br>
</div>
<div>2020-02-13T10:47:29.631090] Error parsing pattern
database file; filename='/home/nsaboo/abc/default.xml',
error='/home/nsaboo/abc/default.xml:17274:22: Joining
rulesets with mismatching program name sets,
program=proxysg'.<br>
</div>
<div><br>
</div>
<div>The same default.xml file was getting loaded correctly
in syslog-ng-3.6.2 and syslog-ng-3.7.1 but getting
following error while loading same default.xml in
syslog-ng3.25.1 <br>
</div>
<div><br>
</div>
<div>I came across a similar issue on githib '<a href="https://github.com/syslog-ng/syslog-ng/issues/2763" target="_blank">https://github.com/syslog-ng/syslog-ng/issues/2763</a>'
.I see the issue is still in open state.Is there a
workaround for this issue?</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Nitish</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, Feb 14, 2020 at
1:12 PM Attila Szakacs (aszakacs) <<a href="mailto:Attila.Szakacs@oneidentity.com" target="_blank">Attila.Szakacs@oneidentity.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">Hi!</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span style="font-size:15px;color:rgb(0,0,0);background-color:rgb(255,255,255);display:inline">WARNING:
due to a bug in versions before syslog-ng 3.8numeric
comparison operators like '!=' in filter expressions
were evaluated as string operators. This is fixed in
syslog-ng 3.8. As we are operating in compatibility
mode, syslog-ng will exhibit the buggy behaviour as
previous versions until you bump the @version value
in your configuration file;</span><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span style="font-size:15px;color:rgb(0,0,0);background-color:rgb(255,255,255);display:inline"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span style="font-size:15px;color:rgb(0,0,0);background-color:rgb(255,255,255);display:inline">^^^
This refers to the syslog-ng.conf file version.</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span style="font-size:15px;color:rgb(0,0,0);background-color:rgb(255,255,255);display:inline"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span style="font-size:15px;color:rgb(0,0,0);background-color:rgb(255,255,255);display:inline">The
correct way to resolve it, and fix the buggy
behavior of != and ==, should be to change the !=
operators between strings to neq in your filters.</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span style="font-size:15px;color:rgb(0,0,0);background-color:rgb(255,255,255);display:inline"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span style="font-size:15px;color:rgb(0,0,0);background-color:rgb(255,255,255);display:inline">Regards,</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span style="font-size:15px;color:rgb(0,0,0);background-color:rgb(255,255,255);display:inline">Attila</span></div>
<hr style="display:inline-block;width:98%">
<div id="gmail-m_278704034256202995gmail-m_-4344772350534607013gmail-m_8775657109126722619divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri,
sans-serif" color="#000000"><b>From:</b> syslog-ng
<<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>>
on behalf of Nitish Saboo <<a href="mailto:nitish.saboo55@gmail.com" target="_blank">nitish.saboo55@gmail.com</a>><br>
<b>Sent:</b> Thursday, February 13, 2020 12:17 PM<br>
<b>To:</b> Syslog-ng users' and developers' mailing
list <<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a>><br>
<b>Subject:</b> [syslog-ng] Warnings and error while
loading default.xml in syslog-ng-3.25.1</font>
<div> </div>
</div>
<div>
<div>
<div dir="ltr">Hi,<br>
<br>
I am using syslog-ng version 3.25.1.Getting
following Warnings and error while initialising
syslog-ng engine:<br>
<br>
[2020-02-13T10:47:29.627899] WARNING: due to a bug
in versions before syslog-ng 3.8numeric comparison
operators like '!=' in filter expressions were
evaluated as string operators. This is fixed in
syslog-ng 3.8. As we are operating in
compatibility mode, syslog-ng will exhibit the
buggy behaviour as previous versions until you
bump the @version value in your configuration
file;<br>
[2020-02-13T10:47:29.627968] WARNING: due to a bug
in versions before syslog-ng 3.8numeric comparison
operators like '!=' in filter expressions were
evaluated as string operators. This is fixed in
syslog-ng 3.8. As we are operating in
compatibility mode, syslog-ng will exhibit the
buggy behaviour as previous versions until you
bump the @version value in your configuration
file;<br>
[2020-02-13T10:47:29.628059] WARNING: due to a bug
in versions before syslog-ng 3.8numeric comparison
operators like '!=' in filter expressions were
evaluated as string operators. This is fixed in
syslog-ng 3.8. As we are operating in
compatibility mode, syslog-ng will exhibit the
buggy behaviour as previous versions until you
bump the @version value in your configuration
file;<br>
[2020-02-13T10:47:29.631090] Error parsing pattern
database file;
filename='/opt/tap-parsing/patterns/default.xml',
error='/opt/tap-parsing/patterns/default.xml:17274:22: Joining rulesets
with mismatching program name sets,
program=proxysg'<br>
<br>
<br>
1)For the following warnings, to which version I
have to bump up the configuration file ?<br>
<br>
2020-02-13T10:47:29.627899] WARNING: due to a bug
in versions before syslog-ng 3.8numeric comparison
operators like '!=' in filter expressions were
evaluated as string operators. This is fixed in
syslog-ng 3.8. As we are operating in
compatibility mode, syslog-ng will exhibit the
buggy behaviour as previous versions until you
bump the @version value in your configuration
file;<br>
[2020-02-13T10:47:29.627968] WARNING: due to a bug
in versions before syslog-ng 3.8numeric comparison
operators like '!=' in filter expressions were
evaluated as string operators. This is fixed in
syslog-ng 3.8. As we are operating in
compatibility mode, syslog-ng will exhibit the
buggy behaviour as previous versions until you
bump the @version value in your configuration
file;<br>
[2020-02-13T10:47:29.628059] WARNING: due to a bug
in versions before syslog-ng 3.8numeric comparison
operators like '!=' in filter expressions were
evaluated as string operators. This is fixed in
syslog-ng 3.8. As we are operating in
compatibility mode, syslog-ng will exhibit the
buggy behaviour as previous versions until you
bump the @version value in your configuration
file;<br>
<br>
Currrently the configuration version is the
following:<br>
<br>
configuration = cfg_new(0x0302)<br>
<br>
Do I have to change it to '0x0319' as defined in
'lib/versioning.h' ?<br>
<br>
2)The same default.xml file was getting loaded
correctly in syslog-ng-3.6.2 and syslog-ng-3.7.1
but getting following error while loading same
default.xml in syslog-ng3.25.1 <br>
<br>
<br>
2020-02-13T10:47:29.631090] Error parsing pattern
database file;
filename='/home/nsaboo/abc/default.xml',
error='/home/nsaboo/abc/default.xml:17274:22:
Joining rulesets with mismatching program name
sets, program=proxysg'.<br>
<br>
What can be the reason for this error ?
<div><br>
<br>
Thanks,<br>
Nitish</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div></div>