<div dir="auto">Hi,<div dir="auto"><br></div><div dir="auto">Ok, now I get it. Those messages do not relate to these filters, that's a new functionality. I'll look into it.</div><div dir="auto"><br></div><div dir="auto">Bazsi</div><br><br><div class="gmail_quote" dir="auto"><div dir="ltr" class="gmail_attr">On Thu, Nov 23, 2023, 12:31 "Tóth Attila" <<a href="mailto:atoth@atoth.sote.hu">atoth@atoth.sote.hu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
These are the affected lines in my config:<br>
filter f_avc { message(".*avc: .*"); };<br>
filter f_audit { message("^(\\[.*\..*\] |)audit.*") and not<br>
message(".*avc: .*"); };<br>
filter f_pax { message("^(\\[.*\..*\] |)PAX:.*"); };<br>
filter f_grsec { message("^(\\[.*\..*\] |)grsec:.*"); };<br>
<br>
These are there for a long time now, but obviously needs a treatment to<br>
make them up-to-date.<br>
There are multiple messages during startup:<br>
"multi-line-pattern: Error while JIT compiling regular expression"<br>
and more.<br>
<br>
If I try to add disable-jit, the messages persist. So it seems syslog-ng<br>
still try to use jit. Despite the messages the software is still<br>
functional as intended. I just want to instruct it not to try<br>
jit-optimizing the expressions, hence get rid of the messages.<br>
<br>
Thanks:<br>
Dw.<br>
-- <br>
dr Tóth Attila, Radiológus, 06-20-825-8057<br>
Attila Toth MD, Radiologist, +36-20-825-8057<br>
<br>
2023.November 22.(Sze) 12:32 időpontban Balazs Scheidler ezt írta:<br>
> Hi,<br>
><br>
> I've now tried the disable-jit example from the documentation and it does<br>
> seem to work for me. I've set a breakpoint where it would do the jit<br>
> compilation, and it didn't do it.<br>
><br>
> btw, I was using Axoflow produced documentation, which is somewhat more<br>
> usable to me:<br>
> <a href="https://axoflow.com/docs/axosyslog-core/chapter-manipulating-messages/regular-expressions/reference-regexp-types/regexp-flags-options/regexp-flags-options-pcre/" rel="noreferrer noreferrer" target="_blank">https://axoflow.com/docs/axosyslog-core/chapter-manipulating-messages/regular-expressions/reference-regexp-types/regexp-flags-options/regexp-flags-options-pcre/</a><br>
><br>
> This is the config I have checked:<br>
><br>
> ```<br>
> @version: 3.32<br>
><br>
> log {<br>
> source { tcp(port(2000)); };<br>
><br>
> filter { match("(?<DN>foo)|(?<DN>bar)" value(MSG) flags(store-matches,<br>
> disable-jit, dupnames)); };<br>
> destination { file("/tmp/log" template("$(format-json *)\n")); };<br>
> };<br>
> ```<br>
><br>
> I am using the latest master, but 4.4.0 should be the same. How do you<br>
> know<br>
> that jit is enabled?<br>
><br>
><br>
> On Tue, Nov 21, 2023 at 10:59 AM "Tóth Attila" <<a href="mailto:atoth@atoth.sote.hu" target="_blank" rel="noreferrer">atoth@atoth.sote.hu</a>><br>
> wrote:<br>
><br>
>> I'm using syslog-ng-4.4.0 on a Gentoo system, that also employs PaX<br>
>> hardening. Due to the necessity to elevate restrictions on pcre2 with<br>
>> jit<br>
>> enabled, I keep it disabled for this particular installation. Syslog-ng<br>
>> emits error messages during startup complaining about pcre2 and jit. I<br>
>> had<br>
>> studied the manual and found the disable-jit feature.<br>
>><br>
>> <a href="https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.30/administration-guide/72" rel="noreferrer noreferrer" target="_blank">https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.30/administration-guide/72</a><br>
>> Maybe I'm using a wrong syntax, but syslog-ng doesn't seem to respect<br>
>> the<br>
>> option. Commenting out the jit feature in the source code works, but it<br>
>> would be much more comfortable to find the proper way to disable jit.<br>
>><br>
>> Are there any other who managed to use disable-jit in action?<br>
>><br>
>> Are there any tips or tricks aboutv what to pay attention on?<br>
>><br>
>> Thx:<br>
>> Dw.<br>
>> --<br>
>> dr Tóth Attila, Radiológus, 06-20-825-8057<br>
>> Attila Toth MD, Radiologist, +36-20-825-8057<br>
>><br>
>><br>
>> ______________________________________________________________________________<br>
>> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
>> Documentation:<br>
>> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
>> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
>><br>
>><br>
><br>
> --<br>
> Bazsi<br>
> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation:<br>
> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
><br>
<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div></div>