On Mon, 2011-11-07 at 01:45 -0600, Martin Holste wrote:
The following will not work in the 3.3.x branch:
filter f_rewrite_cisco_program { match('^(%(?:ASA|PIX|FWSM)\-\d\-\d{6}): ([^\n]+)' value("MESSAGE") type("pcre") flags("store-matches" "nobackref")); }; rewrite r_cisco_program { set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program))); set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program))); };
It will process a few lines and then hang indefinitely. It will process ok if the condition is taken off of the filter, so I am assuming this is a PCRE issue, though I found it made no difference to remove the PCRE requirement and use a simpler matching expression.
Thanks for catching this, this patch fixes that: commit fc744aae608a9848cb13fe8098b11423e941c41b Author: Balazs Scheidler <bazsi@balabit.hu> Date: Wed Nov 9 21:17:34 2011 +0100 logrewrite: fixed conditional rewrite In case condition() was specified for a rewrite rule and the condition didn't match, the log_rewrite_queue() method erroneously returned without either dropping the message or sending it on the log message pipeline. Since rewrite rules may not drop messages, we should always call log_pipe_forward_msg(). Reported-By: Martin Holste <mcholste@gmail.com> Cc: <syslog-ng-stable@balabit.hu> Signed-off-by: Balazs Scheidler <bazsi@balabit.hu> -- Bazsi