<div dir="ltr"><div dir="ltr">Hi Bazsi,<div><br></div><div>Continuing the conversation on the previous mail:<br><br><div><div>My guess is: because in one ruleset you only have one program whereas in the other you have multiple. Make sure the list of programs are the same.<div dir="auto"></div></div></div><br>>> This default.xml is failing while loading :<br><br><br><div><ruleset
id="f582419b3baa42d4a57e42b89704e38c"
description=""><br>
<pattern>proxysg</pattern><br>
<rules><br>
<rule
id="f1e2bfd7bb85402a88d0b732821a0f94"><br>
<patterns><br>
<pattern>foo</pattern><br>
</patterns><br>
</rule></div>
<div> <rule
id="a681963842014480a83a2a2e38875439"><br>
<patterns><br>
<pattern>anything</pattern><br>
</patterns><br>
</rule><br>
</rules><br>
</ruleset><br>
<ruleset
id="17fae6edff32a53f9f294ab21240fc2641e7a4db"
description=""><br>
<pattern>ProxySG</pattern><br>
<pattern>proxysg</pattern><br>
<rules><br>
<rule
id="bb169f917216467985cc16e28015f5fa"><br>
<patterns><br>
<pattern>bar</pattern><br>
</patterns><br>
</rule></div>
<div> <rule
id="94d4a0c324c8-44a88cf3d4640477d35e"><br>
<patterns><br>
<pattern>something</pattern><br>
</patterns><br>
</rule><br>
</rules></div><div></ruleset><br><br>whereas, if I change the order of program pattern in the second ruleset(17fae6edff32a53f9f294ab21240fc2641e7a4db) it is loading correctly irrespective of the <b>list of programs are different</b> in both the rulesets.<br><br><ruleset id="f582419b3baa42d4a57e42b89704e38c" description=""><br><b> <pattern>proxysg</pattern></b><br> <rules><br> <rule id="f1e2bfd7bb85402a88d0b732821a0f94"><br> <patterns><br> <pattern>foo</pattern><br> </patterns><br> </rule><br> <rule id="a681963842014480a83a2a2e38875439"><br> <patterns><br> <pattern>anything</pattern><br> </patterns><br> </rule><br> </rules><br></ruleset><br><ruleset id="17fae6edff32a53f9f294ab21240fc2641e7a4db" description=""><br> <b> <pattern>proxysg</pattern><br> <pattern>ProxySG</pattern></b><br> <rules><br> <rule id="bb169f917216467985cc16e28015f5fa"><br> <patterns><br> <pattern>bar</pattern><br> </patterns><br> </rule><br> <rule id="94d4a0c324c8-44a88cf3d4640477d35e"><br> <patterns><br> <pattern>something</pattern><br> </patterns><br> </rule><br> </rules><br></ruleset><br></div></div><div><br></div><div>It is going very confusing now.Can you please clarify the exact behavior and how should I fix the default.xml to make it load correctly ?</div><div><br></div><div>Thanks,</div><div>Nitish</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Feb 21, 2020 at 3:59 PM Nitish Saboo <<a href="mailto:nitish.saboo55@gmail.com">nitish.saboo55@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"></div>Hi Bazsi,<br><br>Following is the snippet from from default.xml that is failing :<br><br><div><ruleset
id="f582419b3baa42d4a57e42b89704e38c"
description=""><br>
<pattern>proxysg</pattern><br>
<rules><br>
<rule
id="f1e2bfd7bb85402a88d0b732821a0f94"><br>
<patterns><br>
<pattern>foo</pattern><br>
</patterns><br>
</rule></div>
<div> <rule
id="a681963842014480a83a2a2e38875439"><br>
<patterns><br>
<pattern>anything</pattern><br>
</patterns><br>
</rule><br>
</rules><br>
</ruleset><br>
<ruleset
id="17fae6edff32a53f9f294ab21240fc2641e7a4db"
description=""><br>
<pattern>ProxySG</pattern><br>
<pattern>proxysg</pattern><br>
<rules><br>
<rule
id="bb169f917216467985cc16e28015f5fa"><br>
<patterns><br>
<pattern>bar</pattern><br>
</patterns><br>
</rule></div>
<div> <rule
id="94d4a0c324c8-44a88cf3d4640477d35e"><br>
<patterns><br>
<pattern>something</pattern><br>
</patterns><br>
</rule><br>
</rules></div><div></ruleset><br><br>2020-02-13T10:47:29.631090] Error parsing
pattern database file;
filename='/home/nsaboo/abc/default.xml',
error='/home/nsaboo/abc/default.xml:17274:22:
Joining rulesets with mismatching program
name sets, program=proxysg'.<br><br></div><div>According to Evan and Attila these are the possible solutions:<br><br>1)<?xml version='1.0' encoding='UTF-8'?><br> <patterndb version="4"><br> <ruleset id="f582419b3baa42d4a57e42b89704e38c" description=""><br> <pattern>proxysg</pattern><br> <pattern>ProxySG</pattern><br> <rules><br> <rule id="f1e2bfd7bb85402a88d0b732821a0f94"><br> <patterns><br> <pattern>foo</pattern><br> </patterns><br> </rule><br> <rule id="a681963842014480a83a2a2e38875439"><br> <patterns><br> <pattern>anything</pattern><br> </patterns><br> </rule><br> <rule id="bb169f917216467985cc16e28015f5fa"><br> <patterns><br> <pattern>bar</pattern><br> </patterns><br> </rule><br> <rule id="94d4a0c324c8-44a88cf3d4640477d35e"><br> <patterns><br> <pattern>something</pattern><br> </patterns><br> </rule><br> </rules><br> </ruleset><br> </patterndb><br><br><br><br>2)<ruleset id="f582419b3baa42d4a57e42b89704e38c" description=""><br> <pattern>proxysg</pattern><br> <rules><br> <rule id="f1e2bfd7bb85402a88d0b732821a0f94"><br> <patterns><br> <pattern>foo</pattern><br> </patterns><br> </rule><br> <rule id="a681963842014480a83a2a2e38875439"><br> <patterns><br> <pattern>anything</pattern><br> </patterns><br> </rule><br> <rule id="bb169f917216467985cc16e28015f598"><br> <patterns><br> <pattern>bar</pattern><br> </patterns><br> </rule><br> <rule id="94d4a0c324c8-44a88cf3d4640477d399"><br> <patterns><br> <pattern>something</pattern><br> </patterns><br> </rule> <br> </rules><br></ruleset><br><ruleset id="17fae6edff32a53f9f294ab21240fc2641e7a4db" description=""><br> <pattern>ProxySG</pattern><br> <rules><br> <rule id="bb169f917216467985cc16e28015f5fa"><br> <patterns><br> <pattern>bar</pattern><br> </patterns><br> </rule><br> <rule id="94d4a0c324c8-44a88cf3d4640477d35e"><br> <patterns><br> <pattern>something</pattern><br> </patterns><br> </rule><br> </rules><br> </ruleset><br><br><div>But according to the doc '<a href="https://support.oneidentity.com/technical-documents/syslog-ng-open-source-edition/3.25/administration-guide/77#TOPIC-1349587" target="_blank">https://support.oneidentity.com/technical-documents/syslog-ng-open-source-edition/3.25/administration-guide/77#TOPIC-1349587</a>', a program pattern can be part of multiple rulesets.</div><div><br><b>Then what is the issue in my default.xml ?</b><br><br>My guess is: because in one ruleset you only have one program whereas in the other you have multiple. Make sure the list of programs are the same.<div dir="auto"></div></div></div><br>>>Are you saying if a program pattern is part of multiple rulesets , then both the rulesets should have same sets of program patterns or same number of program pattern ?<div><br></div><div>Thanks,</div><div>Nitish<br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Feb 21, 2020 at 3:39 PM Balazs Scheidler <<a href="mailto:bazsi77@gmail.com" target="_blank">bazsi77@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">My guess is: because in one ruleset you only have one program whereas in the other you have multiple. Make sure the list of programs are the same.<div dir="auto"><br></div><div dir="auto">I dont have source code nor the abioity to try it at the moment, as I am standing on the top of a hill in the Alps :)</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Feb 21, 2020, 10:59 Nitish Saboo <<a href="mailto:nitish.saboo55@gmail.com" target="_blank">nitish.saboo55@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">Hi Evan, Attila,</div><div dir="ltr"><br></div><div>I got the following Note from the following link.I have made the line bold.This is from syslog-ng Adminitrator guide from 3.25 version<br><br><div dir="ltr"><a href="https://support.oneidentity.com/technical-documents/syslog-ng-open-source-edition/3.25/administration-guide/77#TOPIC-1349587" rel="noreferrer" target="_blank">https://support.oneidentity.com/technical-documents/syslog-ng-open-source-edition/3.25/administration-guide/77#TOPIC-1349587</a><br><br>NOTE:<br>If the ${PROGRAM} part of a message is empty, rules with an empty Program Pattern are used to classify the message.<br><br><b>If the same Program Pattern is used in multiple rulesets, the rules of these rulesets are merged, and every rule is used to classify the message. Note that message patterns must be unique within the merged rulesets, but the currently only one ruleset is checked for uniqueness.<br></b><br>If the content of the ${PROGRAM} macro is not the proper name of the application, you can use the program-template() option to specify it.<br></div><div dir="ltr"></div></div><div><br></div><div><br></div><div>1) According to that line( bold one) you should accept multiple program pattern in different rulesets ..Am i correct? Please correct me if I am missing something here.<br><br>2) If my understanding is correct for [1], then why is my default.xml failing with the following error while loading:<br><br>2020-02-13T10:47:29.631090] Error parsing
pattern database file;
filename='/home/nsaboo/abc/default.xml',
error='/home/nsaboo/abc/default.xml:17274:22:
Joining rulesets with mismatching program
name sets, program=proxysg'.<br><br></div><div>Thanks,</div><div>Nitish</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Feb 18, 2020 at 10:47 AM Nitish Saboo <<a href="mailto:nitish.saboo55@gmail.com" rel="noreferrer" target="_blank">nitish.saboo55@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Thank you Evan for you response.Looks like changes in .xml file is the only option.<br><br>Thanks,<div>Nitish</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Feb 17, 2020 at 10:20 PM Evan Rempel <<a href="mailto:erempel@uvic.ca" rel="noreferrer" target="_blank">erempel@uvic.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div>Syslog messages have multiple
components to the. Date/time, host, program, message and a few
others.</div>
<div>The important point is that the program
and message are independent items. This means that the pattern
database must use a two phase matching method, first matching the
program and then matching the message.</div>
<div><br>
</div>
<div>Another way to look at it is that the
same message for two different programs means two independent
matching rules.</div>
<div><br>
</div>
<div>Taking this into account you need to
write your patterndb differently. Either merging the rulesets (as
proposed by aszakacs), or breaking apart the duplicate rule (one
rule for two programs) as shown below. Although it may have worked
(or appeared to have worked) in syslog-ng 3.6 or 3.7, it was
against the patterndb specification.<br>
</div>
<div><br>
</div>
<div><ruleset
id="f582419b3baa42d4a57e42b89704e38c" description=""><br>
<pattern>proxysg</pattern><br>
<rules><br>
<rule id="f1e2bfd7bb85402a88d0b732821a0f94"><br>
<patterns><br>
<pattern>foo</pattern><br>
</patterns><br>
</rule>
<div> <rule id="a681963842014480a83a2a2e38875439"><br>
<patterns><br>
<pattern>anything</pattern><br>
</patterns><br>
</rule><br>
<rule id="bb169f917216467985cc16e28015f598"><br>
<patterns><br>
<pattern>bar</pattern><br>
</patterns><br>
</rule></div>
<div> <rule id="94d4a0c324c8-44a88cf3d4640477d399"><br>
<patterns><br>
<pattern>something</pattern><br>
</patterns><br>
</rule> </div>
<div> </rules><br>
</ruleset><br>
<ruleset id="17fae6edff32a53f9f294ab21240fc2641e7a4db"
description=""><br>
<pattern>ProxySG</pattern><br>
<rules><br>
<rule id="bb169f917216467985cc16e28015f5fa"><br>
<patterns><br>
<pattern>bar</pattern><br>
</patterns><br>
</rule></div>
<div> <rule id="94d4a0c324c8-44a88cf3d4640477d35e"><br>
<patterns><br>
<pattern>something</pattern><br>
</patterns><br>
</rule><br>
</rules><br>
</ruleset><br>
</div>
<div><br>
</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Both this solution and the one by
aszakacs have ONE ruleset for any given program (ruleset pattern).</div>
<div><br>
</div>
<div>I don't see any other alternatives.</div>
<div><br>
</div>
<div>Evan.<br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>On 2/17/20 1:29 AM, Nitish Saboo wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><a class="gmail_plusreply" id="gmail-m_1095684316150082340gmail-m_-626739569832215772m_-731442591835938658gmail-m_-1294183375318808903gmail-m_4747503232488815636plusReplyChip-0" href="mailto:syslog-ng@lists.balabit.hu" rel="noreferrer" target="_blank">+Syslog-ng users' and developers'
mailing list</a> <br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, Feb 17, 2020 at 2:37
PM Nitish Saboo <<a href="mailto:nitish.saboo55@gmail.com" rel="noreferrer" target="_blank">nitish.saboo55@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div dir="ltr">Hi Attila,
<div><br>
</div>
<div>1,2) The issue is that you used "proxysg" in two
different rulesets. I believe syslog-ng could handle
this, but we do not handle it right now.<br>
</div>
<div>>> But the same default.xml file is working
fine in version syslog-ng-3,6,2 and syslog-ng-3.7.1
where we have same program in different rulesets.The
behavior in version syslog-ng-3,6,2 and syslog-ng-3.7.1
is the expected behavior or is the current behavior in
syslog-ng-3.25.1 version is having a Bug ?</div>
<div><br>
3/4) You can merge the two rulesets, if it is okay for
you:</div>
<div>>>Merging the rulesets is not possible at this
moment.</div>
<div>Do we have any workaround for this scenario other
than merging the rulesets?<br>
</div>
<div>When can we expect a fix for this in near future ?</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Nitish</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, Feb 17, 2020 at
2:23 PM Attila Szakacs (aszakacs) <<a href="mailto:Attila.Szakacs@oneidentity.com" rel="noreferrer" target="_blank">Attila.Szakacs@oneidentity.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">Hi!</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">1,2)
The issue is that you used "proxysg" in two
different rulesets. I believe syslog-ng could handle
this, but we do not handle it right now.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">3/4)
You can merge the two rulesets, if it is okay for
you:</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span style="font-family:Consolas,Courier,monospace"><?xml
version='1.0' encoding='UTF-8'?></span><span><br>
</span>
<div><span style="font-family:Consolas,Courier,monospace">
<patterndb version="4"></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
<ruleset
id="f582419b3baa42d4a57e42b89704e38c"
description=""></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
<pattern>proxysg</pattern></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
<pattern>ProxySG</pattern></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
<rules></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
<rule
id="f1e2bfd7bb85402a88d0b732821a0f94"></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
<patterns></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
<pattern>foo</pattern></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
</patterns></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
</rule></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
<rule
id="a681963842014480a83a2a2e38875439"></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
<patterns></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
<pattern>anything</pattern></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
</patterns></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
</rule></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
<rule
id="bb169f917216467985cc16e28015f5fa"></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
<patterns></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
<pattern>bar</pattern></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
</patterns></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
</rule></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
<rule
id="94d4a0c324c8-44a88cf3d4640477d35e"></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
<patterns></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
<pattern>something</pattern></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
</patterns></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
</rule></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
</rules></span><br>
</div>
<div><span style="font-family:Consolas,Courier,monospace">
</ruleset></span><br>
</div>
<span style="font-family:Consolas,Courier,monospace">
</patterndb></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span style="font-family:Consolas,Courier,monospace"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span style="font-family:Consolas,Courier,monospace">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">Regards,</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">Attila</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"></div>
<br>
</span></div>
<hr style="display:inline-block;width:98%">
<div id="gmail-m_1095684316150082340gmail-m_-626739569832215772m_-731442591835938658gmail-m_-1294183375318808903gmail-m_4747503232488815636gmail-m_-1590442724488374014gmail-m_-5303773042762964696divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b>
syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" rel="noreferrer" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>>
on behalf of Nitish Saboo <<a href="mailto:nitish.saboo55@gmail.com" rel="noreferrer" target="_blank">nitish.saboo55@gmail.com</a>><br>
<b>Sent:</b> Monday, February 17, 2020 6:30 AM<br>
<b>To:</b> Syslog-ng users' and developers'
mailing list <<a href="mailto:syslog-ng@lists.balabit.hu" rel="noreferrer" target="_blank">syslog-ng@lists.balabit.hu</a>><br>
<b>Subject:</b> Re: [syslog-ng] Warnings and error
while loading default.xml in syslog-ng-3.25.1</font>
<div> </div>
</div>
<div>
<div style="background-color:rgb(255,235,156);width:100%;border-style:solid;border-color:rgb(156,101,0);border-width:1pt;padding:2pt;font-size:10pt;line-height:12pt;font-family:Calibri;color:black;text-align:left"><span style="color:rgb(156,101,0);font-weight:bold">CAUTION:</span>
This email originated from outside of the
organization. Do not follow guidance, click links,
or open attachments unless you recognize the
sender and know the content is safe.</div>
<br>
<div>
<div dir="ltr">
<div dir="ltr">Hi Evan,
<div><br>
</div>
<div>Apologies for the confusion but I did
close the rule tag in my default.xml ,
missed adding it here.</div>
<div>The error does not seem to be related to
improper closing of tags.<br>
<br>
This is how it looks :<br>
<br>
<ruleset
id="f582419b3baa42d4a57e42b89704e38c"
description=""><br>
<pattern>proxysg</pattern><br>
<rules><br>
<rule
id="f1e2bfd7bb85402a88d0b732821a0f94"><br>
<patterns><br>
<pattern>foo</pattern><br>
</patterns><br>
</rule></div>
<div> <rule
id="a681963842014480a83a2a2e38875439"><br>
<patterns><br>
<pattern>anything</pattern><br>
</patterns><br>
</rule><br>
</rules><br>
</ruleset><br>
<ruleset
id="17fae6edff32a53f9f294ab21240fc2641e7a4db"
description=""><br>
<pattern>ProxySG</pattern><br>
<pattern>proxysg</pattern><br>
<rules><br>
<rule
id="bb169f917216467985cc16e28015f5fa"><br>
<patterns><br>
<pattern>bar</pattern><br>
</patterns><br>
</rule></div>
<div> <rule
id="94d4a0c324c8-44a88cf3d4640477d35e"><br>
<patterns><br>
<pattern>something</pattern><br>
</patterns><br>
</rule><br>
</rules><br>
</ruleset><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>I am getting the following error message:<br>
<br>
2020-02-13T10:47:29.631090] Error parsing
pattern database file;
filename='/home/nsaboo/abc/default.xml',
error='/home/nsaboo/abc/default.xml:17274:22:
Joining rulesets with mismatching program
name sets, program=proxysg'.<br>
<br>
My hunch is the issue is related to merging
of two rulesets but I am not able to
understand why is there mismatching of
program names.</div>
<div><br>
</div>
<div> 1) Can someone please help me understand
the issue here ?<br>
<br>
2) Is the issue seen because a ruleset has
multiple programs in it or is it because the
same program 'proxysg' is being used in
different rulesets ?<br>
<br>
3) From the above snippet of default.xml,
what changes can I make into default.xml to
avoid the error ?<br>
<br>
4) Is there a workaround for this issue ?<br>
<br>
Thanks,<br>
Nitish<br>
</div>
<div><br>
</div>
</div>
<br>
<div>
<div dir="ltr">On Sun, Feb 16, 2020 at 12:40
AM Evan Rempel <<a href="mailto:erempel@uvic.ca" rel="noreferrer" target="_blank">erempel@uvic.ca</a>>
wrote:<br>
</div>
<blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div>I'm not exactly sure what is or is
not permitted in the pattern database
but I two comments.</div>
<div><br>
</div>
<div>1. you need end your rule tag and
your rules tag before you start a new
ruleset tag.</div>
<div><br>
</div>
<div>2. What I do in my pattern database
is of the form.</div>
<div><br>
</div>
<div><ruleset
id="f582419b3baa42d4a57e42b89704e38c"
description=""><br>
<pattern>proxysg</pattern><br>
<rules><br>
<rule
id="f582419b3baa42d4a57e42b89704e38c"><br>
<patterns><br>
<pattern>foo</pattern><br>
</patterns></div>
<div> </rule><br>
<rule
id="bb169f917216467985cc16e28015f5fa"><br>
<patterns><br>
<pattern>bar</pattern><br>
</patterns><br>
</div>
<div> </rules></div>
<div></ruleset></div>
<div><br>
</div>
<div><br>
</div>
<div>Note:</div>
<div>1. the closing tag of </rule>
before a new starting tag of
<rule><br>
</div>
<div>2. Multiple "rule" entries inside the
the "rules" entry.</div>
<div>3. the closing tag of </rule>
before the closing tag of </rules><br>
</div>
<div>4. the closing tag of </rules>
before the closing tag of
</ruleset><br>
</div>
<div><br>
</div>
<div>I hope that helps.</div>
<div><br>
</div>
<div>Evan.<br>
</div>
<div><br>
</div>
<div>On 2/15/20 12:43 AM, Nitish Saboo
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi,<br>
<br>
After debugging further into the issue
looks like there was a fix for
patterndb rule clash in syslog-ng-3.8
and this is the commit-id
'12cd960c8f47260b0b0d4154b096994d66fe345'<br>
for the fix. And for this reason I am
getting the following error for same
default.xml in syslog-ng-3.25.1
version and not in syslog-ng3.6.2 and
syslog-ng3.7.1.<br>
<br>
2020-02-13T10:47:29.631090] Error
parsing pattern database file;
filename='/home/nsaboo/abc/default.xml',
error='/home/nsaboo/abc/default.xml:17274:22: Joining rulesets with
mismatching program name sets,
program=proxysg'.<br>
<br>
Snippet from default.xml<br>
==========================<br>
<br>
<ruleset
id="f582419b3baa42d4a57e42b89704e38c"
description=""><br>
<pattern>proxysg</pattern><br>
<rules><br>
<rule
id="f582419b3baa42d4a57e42b89704e38c"><br>
<patterns><br>
<pattern>foo</pattern><br>
</patterns><br>
<br>
<ruleset
id="8d633c824e844a559088d803464e507a"
description=""><br>
<pattern>ProxySG</pattern><br>
<pattern>proxysg</pattern><br>
<rules><br>
<rule
id="bb169f917216467985cc16e28015f5fa"><br>
<patterns><br>
<pattern>bar</pattern><br>
</patterns><br>
<br>
I am not able to understand the error
message clearly.<br>
<br>
1) Can someone please help me
understand the issue here ?<br>
<br>
2) Is the issue seen because a
ruleset has multiple programs in it or
is it because the same program
'proxysg' is being used in different
rulesets ?<br>
<br>
3) From the above snippet of
default.xml, what changes can I make
into default.xml to avoid the error ?<br>
<br>
4) Is there a workaround for this
issue ?<br>
<br>
Thanks,<br>
Nitish<br>
</div>
<br>
<div>
<div dir="ltr">On Fri, Feb 14, 2020 at
2:40 PM Nitish Saboo <<a href="mailto:nitish.saboo55@gmail.com" rel="noreferrer" target="_blank">nitish.saboo55@gmail.com</a>>
wrote:<br>
</div>
<blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Hi Attila,
<div><br>
</div>
<div>Thanks for your response.</div>
<div><br>
</div>
<div>And what about the following
error:</div>
<div><br>
</div>
<div>2020-02-13T10:47:29.631090]
Error parsing pattern database
file;
filename='/home/nsaboo/abc/default.xml',
error='/home/nsaboo/abc/default.xml:17274:22: Joining rulesets with
mismatching program name sets,
program=proxysg'.<br>
</div>
<div><br>
</div>
<div>The same default.xml file was
getting loaded correctly in
syslog-ng-3.6.2 and
syslog-ng-3.7.1 but getting
following error while loading
same default.xml in
syslog-ng3.25.1 <br>
</div>
<div><br>
</div>
<div>I came across a similar issue
on githib '<a href="https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fsyslog-ng%2Fsyslog-ng%2Fissues%2F2763&data=02%7C01%7CAttila.Szakacs%40oneidentity.com%7C7984ff7f5a4241fdae2208d7b36a9848%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637175142727691628&sdata=WdmKYNdboeB7Y26uuDXhmR225uPqIfX6x4U3Sff2qbY%3D&reserved=0" rel="noreferrer" target="_blank">https://github.com/syslog-ng/syslog-ng/issues/2763</a>'
.I see the issue is still in
open state.Is there a workaround
for this issue?</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Nitish</div>
</div>
<br>
<div>
<div dir="ltr">On Fri, Feb 14,
2020 at 1:12 PM Attila Szakacs
(aszakacs) <<a href="mailto:Attila.Szakacs@oneidentity.com" rel="noreferrer" target="_blank">Attila.Szakacs@oneidentity.com</a>>
wrote:<br>
</div>
<blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">Hi!</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span style="font-size:15px;color:rgb(0,0,0);background-color:rgb(255,255,255);display:inline">WARNING:
due to a bug in versions
before syslog-ng
3.8numeric comparison
operators like '!=' in
filter expressions were
evaluated as string
operators. This is fixed
in syslog-ng 3.8. As we
are operating in
compatibility mode,
syslog-ng will exhibit the
buggy behaviour as
previous versions until
you bump the @version
value in your
configuration file;</span><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span style="font-size:15px;color:rgb(0,0,0);background-color:rgb(255,255,255);display:inline"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span style="font-size:15px;color:rgb(0,0,0);background-color:rgb(255,255,255);display:inline">^^^
This refers to the
syslog-ng.conf file
version.</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span style="font-size:15px;color:rgb(0,0,0);background-color:rgb(255,255,255);display:inline"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span style="font-size:15px;color:rgb(0,0,0);background-color:rgb(255,255,255);display:inline">The
correct way to resolve it,
and fix the buggy behavior
of != and ==, should be to
change the != operators
between strings to neq in
your filters.</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span style="font-size:15px;color:rgb(0,0,0);background-color:rgb(255,255,255);display:inline"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span style="font-size:15px;color:rgb(0,0,0);background-color:rgb(255,255,255);display:inline">Regards,</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span style="font-size:15px;color:rgb(0,0,0);background-color:rgb(255,255,255);display:inline">Attila</span></div>
<hr style="display:inline-block;width:98%">
<div id="gmail-m_1095684316150082340gmail-m_-626739569832215772m_-731442591835938658gmail-m_-1294183375318808903gmail-m_4747503232488815636gmail-m_-1590442724488374014gmail-m_-5303773042762964696x_gmail-m_278704034256202995gmail-m_-4344772350534607013gmail-m_8775657109126722619divRplyFwdMsg" dir="ltr">
<font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b>
syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" rel="noreferrer" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>>
on behalf of Nitish Saboo
<<a href="mailto:nitish.saboo55@gmail.com" rel="noreferrer" target="_blank">nitish.saboo55@gmail.com</a>><br>
<b>Sent:</b> Thursday,
February 13, 2020 12:17 PM<br>
<b>To:</b> Syslog-ng
users' and developers'
mailing list <<a href="mailto:syslog-ng@lists.balabit.hu" rel="noreferrer" target="_blank">syslog-ng@lists.balabit.hu</a>><br>
<b>Subject:</b>
[syslog-ng] Warnings and
error while loading
default.xml in
syslog-ng-3.25.1</font>
<div> </div>
</div>
<div>
<div>
<div dir="ltr">Hi,<br>
<br>
I am using syslog-ng
version 3.25.1.Getting
following Warnings and
error while initialising
syslog-ng engine:<br>
<br>
[2020-02-13T10:47:29.627899] WARNING: due to a bug in versions before
syslog-ng 3.8numeric
comparison operators
like '!=' in filter
expressions were
evaluated as string
operators. This is fixed
in syslog-ng 3.8. As we
are operating in
compatibility mode,
syslog-ng will exhibit
the buggy behaviour as
previous versions until
you bump the @version
value in your
configuration file;<br>
[2020-02-13T10:47:29.627968] WARNING: due to a bug in versions before
syslog-ng 3.8numeric
comparison operators
like '!=' in filter
expressions were
evaluated as string
operators. This is fixed
in syslog-ng 3.8. As we
are operating in
compatibility mode,
syslog-ng will exhibit
the buggy behaviour as
previous versions until
you bump the @version
value in your
configuration file;<br>
[2020-02-13T10:47:29.628059] WARNING: due to a bug in versions before
syslog-ng 3.8numeric
comparison operators
like '!=' in filter
expressions were
evaluated as string
operators. This is fixed
in syslog-ng 3.8. As we
are operating in
compatibility mode,
syslog-ng will exhibit
the buggy behaviour as
previous versions until
you bump the @version
value in your
configuration file;<br>
[2020-02-13T10:47:29.631090] Error parsing pattern database file;
filename='/opt/tap-parsing/patterns/default.xml',
error='/opt/tap-parsing/patterns/default.xml:17274:22: Joining rulesets
with mismatching program
name sets,
program=proxysg'<br>
<br>
<br>
1)For the following
warnings, to which
version I have to bump
up the configuration
file ?<br>
<br>
2020-02-13T10:47:29.627899] WARNING: due to a bug in versions before
syslog-ng 3.8numeric
comparison operators
like '!=' in filter
expressions were
evaluated as string
operators. This is fixed
in syslog-ng 3.8. As we
are operating in
compatibility mode,
syslog-ng will exhibit
the buggy behaviour as
previous versions until
you bump the @version
value in your
configuration file;<br>
[2020-02-13T10:47:29.627968] WARNING: due to a bug in versions before
syslog-ng 3.8numeric
comparison operators
like '!=' in filter
expressions were
evaluated as string
operators. This is fixed
in syslog-ng 3.8. As we
are operating in
compatibility mode,
syslog-ng will exhibit
the buggy behaviour as
previous versions until
you bump the @version
value in your
configuration file;<br>
[2020-02-13T10:47:29.628059] WARNING: due to a bug in versions before
syslog-ng 3.8numeric
comparison operators
like '!=' in filter
expressions were
evaluated as string
operators. This is fixed
in syslog-ng 3.8. As we
are operating in
compatibility mode,
syslog-ng will exhibit
the buggy behaviour as
previous versions until
you bump the @version
value in your
configuration file;<br>
<br>
Currrently the
configuration version is
the following:<br>
<br>
configuration =
cfg_new(0x0302)<br>
<br>
Do I have to change it
to '0x0319' as defined
in 'lib/versioning.h' ?<br>
<br>
2)The same default.xml
file was getting loaded
correctly in
syslog-ng-3.6.2 and
syslog-ng-3.7.1 but
getting following error
while loading same
default.xml in
syslog-ng3.25.1 <br>
<br>
<br>
2020-02-13T10:47:29.631090] Error parsing pattern database file;
filename='/home/nsaboo/abc/default.xml',
error='/home/nsaboo/abc/default.xml:17274:22: Joining rulesets with
mismatching program name
sets, program=proxysg'.<br>
<br>
What can be the reason
for this error ?
<div><br>
<br>
Thanks,</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>
</blockquote></div></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div></div></div>
</blockquote></div></div>