Hi, This should solve this issue for you: https://github.com/syslog-ng/syslog-ng/actions/runs/7009313223/job/190674687... On Sun, Nov 26, 2023 at 12:21 PM Balazs Scheidler <bazsi77@gmail.com> wrote:
Hi,
Ok, now I get it. Those messages do not relate to these filters, that's a new functionality. I'll look into it.
Bazsi
On Thu, Nov 23, 2023, 12:31 "Tóth Attila" <atoth@atoth.sote.hu> wrote:
Hi,
These are the affected lines in my config: filter f_avc { message(".*avc: .*"); }; filter f_audit { message("^(\\[.*\..*\] |)audit.*") and not message(".*avc: .*"); }; filter f_pax { message("^(\\[.*\..*\] |)PAX:.*"); }; filter f_grsec { message("^(\\[.*\..*\] |)grsec:.*"); };
These are there for a long time now, but obviously needs a treatment to make them up-to-date. There are multiple messages during startup: "multi-line-pattern: Error while JIT compiling regular expression" and more.
If I try to add disable-jit, the messages persist. So it seems syslog-ng still try to use jit. Despite the messages the software is still functional as intended. I just want to instruct it not to try jit-optimizing the expressions, hence get rid of the messages.
Thanks: Dw. -- dr Tóth Attila, Radiológus, 06-20-825-8057 Attila Toth MD, Radiologist, +36-20-825-8057
2023.November 22.(Sze) 12:32 időpontban Balazs Scheidler ezt írta:
Hi,
I've now tried the disable-jit example from the documentation and it does seem to work for me. I've set a breakpoint where it would do the jit compilation, and it didn't do it.
btw, I was using Axoflow produced documentation, which is somewhat more usable to me:
https://axoflow.com/docs/axosyslog-core/chapter-manipulating-messages/regula...
This is the config I have checked:
``` @version: 3.32
log { source { tcp(port(2000)); };
filter { match("(?<DN>foo)|(?<DN>bar)" value(MSG) flags(store-matches, disable-jit, dupnames)); }; destination { file("/tmp/log" template("$(format-json *)\n")); }; }; ```
I am using the latest master, but 4.4.0 should be the same. How do you know that jit is enabled?
On Tue, Nov 21, 2023 at 10:59 AM "Tóth Attila" <atoth@atoth.sote.hu> wrote:
I'm using syslog-ng-4.4.0 on a Gentoo system, that also employs PaX hardening. Due to the necessity to elevate restrictions on pcre2 with jit enabled, I keep it disabled for this particular installation. Syslog-ng emits error messages during startup complaining about pcre2 and jit. I had studied the manual and found the disable-jit feature.
https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edit...
Maybe I'm using a wrong syntax, but syslog-ng doesn't seem to respect the option. Commenting out the jit feature in the source code works, but it would be much more comfortable to find the proper way to disable jit.
Are there any other who managed to use disable-jit in action?
Are there any tips or tricks aboutv what to pay attention on?
Thx: Dw. -- dr Tóth Attila, Radiológus, 06-20-825-8057 Attila Toth MD, Radiologist, +36-20-825-8057
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi