[PATCH] [pdbtool] debug-id option
Hi, While working with `pdbtool test`, I found that it's quite uncomfortable to find problems with non-matching messages, as it only displays the ID of the erroneous pattern. Right now you would need to copy the example message and program name, and pass it to `pdbtool match` as arguments to find out what's the exact issue and get a nice colorized output pointing to the problematic part of the pattern. To make that easier, I've done a small enhancement to pdbtool, an option to do a full, colorized debug output on a given rule by only supplying its ID. This would look something like (coloring lost in email): blint@lyra:~/blah/syslog-ng-ose-mainline-3.4$ ./bin/pdbtool debug-id -p /var/tmp/patterndb/system-bind.xml -r "b57a384f-c8be-41e9-bc10-735695dc63e7" Pattern matching part: unexpected RCODE (REFUSED) resolving @QSTRING:.dict.arpa=hushmail.com/AAAA/IN@:@QSTRING:.dict.src=203.197.12.30@deliberately freaked up test message 53 Matching part: unexpected RCODE (REFUSED) resolving 'hushmail.com/AAAA/IN': 203.197.12.30# Values: MESSAGE=unexpected RCODE (REFUSED) resolving 'hushmail.com/AAAA/IN': 203.197.12.30#deliberately freaked up test message 53 PROGRAM=named .classifier.class=unknown The patch is against 3.4, but should apply to 3.3 as well. Balint commit 93ca04700f8706643fedea51936af02daa314766 Author: Balint Kovacs<blint@balabit.hu> Date: Mon Aug 15 11:07:50 2011 +0200 [pdbtool] Implemented debug-id option Added a new option to pdbtool to test a specific rule against its example message with colorizing debug turned on. Signed-off-by: Balint Kovacs<blint@balabit.hu> diff --git a/modules/dbparser/pdbtool.c b/modules/dbparser/pdbtool.c index 64ccd17..f64012d 100644 --- a/modules/dbparser/pdbtool.c +++ b/modules/dbparser/pdbtool.c @@ -640,6 +640,75 @@ static GOptionEntry match_options[] = { NULL, 0, 0, G_OPTION_ARG_NONE, NULL, NULL } }; +static gchar *rule_id = NULL; + +static gboolean +pdbtool_debug_id(int argc, char *argv[]) +{ + PatternDB *patterndb; + PDBExample *example; + GList *examples = NULL; + gboolean id_is_found = FALSE; + + debug_pattern = TRUE; + debug_pattern_parse = FALSE; + color_out = TRUE; + colors = full_colors; + + if (!rule_id) + { + printf("Please specify a rule ID to be tested against its example message!\n"); + return FALSE; + } + + patterndb = pattern_db_new(); + if (!pdb_rule_set_load(patterndb->ruleset, configuration, patterndb_file,&examples)) + { + pattern_db_free(patterndb); + return FALSE; + } + + while (examples) + { + example = examples->data; + + if (strcmp(example->rule->rule_id, rule_id) != 0) + { + examples = g_list_delete_link(examples, examples); + continue; + } + + id_is_found = TRUE; + + if (example->message&& example->program) + { + match_message = example->message; + match_program = example-> program; + pdbtool_match(argc, argv); + } + examples = g_list_delete_link(examples, examples); + } + + pattern_db_free(patterndb); + + if (!id_is_found) + { + printf("Could not find a corresponding ID in the patterndb file or the rule does not have an example message.\n"); + return FALSE; + } + + return TRUE; +} + +static GOptionEntry debug_id_options[] = +{ + { "pdb", 'p', 0, G_OPTION_ARG_STRING,&patterndb_file, + "Name of the patterndb file", "<patterndb_file>" }, + { "ruleid", 'r', 0, G_OPTION_ARG_STRING,&rule_id, + "ID of the patterndb rule to debug", "<rule_id>" }, + { NULL, 0, 0, G_OPTION_ARG_NONE, NULL, NULL } +}; + static gboolean test_validate = FALSE; static gboolean @@ -934,6 +1003,7 @@ static struct { "dump", dump_options, "Dump pattern datebase tree", pdbtool_dump }, { "merge", merge_options, "Merge pattern databases", pdbtool_merge }, { "test", test_options, "Test pattern databases", pdbtool_test }, + { "debug-id", debug_id_options, "Test pattern databases", pdbtool_debug_id }, { "patternize", patternize_options, "Create a pattern database from logs", pdbtool_patternize }, { NULL, NULL }, };
Hi, Looks nice, however it'd probably make more sense to do this directly in pdbtool test, wouldn't it? e.g. $ pdbtool test -p <id> --debug --color-out On Mon, 2011-08-15 at 11:35 +0200, Balint Kovacs wrote:
Hi,
While working with `pdbtool test`, I found that it's quite uncomfortable to find problems with non-matching messages, as it only displays the ID of the erroneous pattern. Right now you would need to copy the example message and program name, and pass it to `pdbtool match` as arguments to find out what's the exact issue and get a nice colorized output pointing to the problematic part of the pattern.
To make that easier, I've done a small enhancement to pdbtool, an option to do a full, colorized debug output on a given rule by only supplying its ID. This would look something like (coloring lost in email):
blint@lyra:~/blah/syslog-ng-ose-mainline-3.4$ ./bin/pdbtool debug-id -p /var/tmp/patterndb/system-bind.xml -r "b57a384f-c8be-41e9-bc10-735695dc63e7" Pattern matching part: unexpected RCODE (REFUSED) resolving @QSTRING:.dict.arpa=hushmail.com/AAAA/IN@:@QSTRING:.dict.src=203.197.12.30@deliberately freaked up test message 53 Matching part: unexpected RCODE (REFUSED) resolving 'hushmail.com/AAAA/IN': 203.197.12.30# Values: MESSAGE=unexpected RCODE (REFUSED) resolving 'hushmail.com/AAAA/IN': 203.197.12.30#deliberately freaked up test message 53 PROGRAM=named .classifier.class=unknown
The patch is against 3.4, but should apply to 3.3 as well.
Balint
commit 93ca04700f8706643fedea51936af02daa314766 Author: Balint Kovacs<blint@balabit.hu> Date: Mon Aug 15 11:07:50 2011 +0200
[pdbtool] Implemented debug-id option
Added a new option to pdbtool to test a specific rule against its example message with colorizing debug turned on.
Signed-off-by: Balint Kovacs<blint@balabit.hu>
diff --git a/modules/dbparser/pdbtool.c b/modules/dbparser/pdbtool.c index 64ccd17..f64012d 100644 --- a/modules/dbparser/pdbtool.c +++ b/modules/dbparser/pdbtool.c @@ -640,6 +640,75 @@ static GOptionEntry match_options[] = { NULL, 0, 0, G_OPTION_ARG_NONE, NULL, NULL } };
+static gchar *rule_id = NULL; + +static gboolean +pdbtool_debug_id(int argc, char *argv[]) +{ + PatternDB *patterndb; + PDBExample *example; + GList *examples = NULL; + gboolean id_is_found = FALSE; + + debug_pattern = TRUE; + debug_pattern_parse = FALSE; + color_out = TRUE; + colors = full_colors; + + if (!rule_id) + { + printf("Please specify a rule ID to be tested against its example message!\n"); + return FALSE; + } + + patterndb = pattern_db_new(); + if (!pdb_rule_set_load(patterndb->ruleset, configuration, patterndb_file,&examples)) + { + pattern_db_free(patterndb); + return FALSE; + } + + while (examples) + { + example = examples->data; + + if (strcmp(example->rule->rule_id, rule_id) != 0) + { + examples = g_list_delete_link(examples, examples); + continue; + } + + id_is_found = TRUE; + + if (example->message&& example->program) + { + match_message = example->message; + match_program = example-> program; + pdbtool_match(argc, argv); + } + examples = g_list_delete_link(examples, examples); + } + + pattern_db_free(patterndb); + + if (!id_is_found) + { + printf("Could not find a corresponding ID in the patterndb file or the rule does not have an example message.\n"); + return FALSE; + } + + return TRUE; +} + +static GOptionEntry debug_id_options[] = +{ + { "pdb", 'p', 0, G_OPTION_ARG_STRING,&patterndb_file, + "Name of the patterndb file", "<patterndb_file>" }, + { "ruleid", 'r', 0, G_OPTION_ARG_STRING,&rule_id, + "ID of the patterndb rule to debug", "<rule_id>" }, + { NULL, 0, 0, G_OPTION_ARG_NONE, NULL, NULL } +}; + static gboolean test_validate = FALSE;
static gboolean @@ -934,6 +1003,7 @@ static struct { "dump", dump_options, "Dump pattern datebase tree", pdbtool_dump }, { "merge", merge_options, "Merge pattern databases", pdbtool_merge }, { "test", test_options, "Test pattern databases", pdbtool_test }, + { "debug-id", debug_id_options, "Test pattern databases", pdbtool_debug_id }, { "patternize", patternize_options, "Create a pattern database from logs", pdbtool_patternize }, { NULL, NULL }, };
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi
Hi, yes, that'd be much more useful indeed, also because pdbtool test sets the return code on failures, so it's better for using it in scripts. I would avoid using -p as an option tough, as it was used in earlier versions of pdbtool test for specifying the patterndb xml to be tested, so I used -r. The debug info is only printed for non-matching patterns - without giving it much thought, this seemed appropriate, but can easily be changed. Balint commit 1a1ccc8db55b502ea6f4c363a710fe442a3a228d Author: Balint Kovacs <blint@balabit.hu> Date: Wed Aug 17 15:00:42 2011 +0200 [pdbtool] rule-id, debug and color-out options for pdbtool test Added options to test a specific rule against its example message with debug and colorizing. Signed-off-by: Balint Kovacs <blint@balabit.hu> diff --git a/modules/dbparser/pdbtool.c b/modules/dbparser/pdbtool.c index 64ccd17..1c5d818 100644 --- a/modules/dbparser/pdbtool.c +++ b/modules/dbparser/pdbtool.c @@ -641,6 +641,7 @@ static GOptionEntry match_options[] = }; static gboolean test_validate = FALSE; +static gchar *test_ruleid = NULL; static gboolean pdbtool_test_value(LogMessage *msg, const gchar *name, const gchar *test_value) @@ -676,6 +677,7 @@ pdbtool_test(int argc, char *argv[]) gboolean failed_to_load = FALSE; gboolean failed_to_match = FALSE; gboolean failed_to_validate = FALSE; + gboolean failed_to_find_id = TRUE; for (arg_pos = 1; arg_pos < argc; arg_pos++) { @@ -711,6 +713,18 @@ pdbtool_test(int argc, char *argv[]) if (example->message && example->program) { + + if (test_ruleid) + { + if (strcmp(example->rule->rule_id, test_ruleid) != 0) + { + examples = g_list_delete_link(examples, examples); + continue; + } + else + failed_to_find_id = FALSE; + } + msg = log_msg_new_empty(); log_msg_set_value(msg, LM_V_MESSAGE, example->message, strlen(example->message)); if (example->program && example->program[0]) @@ -719,7 +733,13 @@ pdbtool_test(int argc, char *argv[]) printf("Testing message program='%s' message='%s'\n", example->program, example->message); pattern_db_process(patterndb, msg); - pdbtool_test_value(msg, ".classifier.rule_id", example->rule->rule_id); + if (!pdbtool_test_value(msg, ".classifier.rule_id", example->rule->rule_id) && debug_pattern) + { + match_message = example->message; + match_program = example->program; + patterndb_file = argv[arg_pos]; + pdbtool_match(0, NULL); + } for (i = 0; example->values && i < example->values->len; i++) { @@ -739,6 +759,11 @@ pdbtool_test(int argc, char *argv[]) return 1; if (failed_to_match) return 2; + if (failed_to_find_id) + { + printf("Could not find the specified ID, or the defined rule doesn't have an example message.\n"); + return 3; + } return 0; } @@ -746,6 +771,12 @@ static GOptionEntry test_options[] = { { "validate", 0, 0, G_OPTION_ARG_NONE, &test_validate, "Validate the pdb file against the xsd (requires xmllint from libxml2)", NULL }, + { "rule-id", 'r', 0, G_OPTION_ARG_STRING, &test_ruleid, + "Rule ID of the patterndb rule to be tested against its example", NULL }, + { "debug", 'D', 0, G_OPTION_ARG_NONE, &debug_pattern, + "Print debuging information on non-matching patterns", NULL }, + { "color-out", 'c', 0, G_OPTION_ARG_NONE, &color_out, + "Color terminal output", NULL }, { NULL, 0, 0, G_OPTION_ARG_NONE, NULL, NULL } }; On 08/17/2011 09:24 AM, Balazs Scheidler wrote:
Hi,
Looks nice, however it'd probably make more sense to do this directly in pdbtool test, wouldn't it?
e.g.
$ pdbtool test -p<id> --debug --color-out
On Mon, 2011-08-15 at 11:35 +0200, Balint Kovacs wrote:
Hi,
While working with `pdbtool test`, I found that it's quite uncomfortable to find problems with non-matching messages, as it only displays the ID of the erroneous pattern. Right now you would need to copy the example message and program name, and pass it to `pdbtool match` as arguments to find out what's the exact issue and get a nice colorized output pointing to the problematic part of the pattern.
To make that easier, I've done a small enhancement to pdbtool, an option to do a full, colorized debug output on a given rule by only supplying its ID. This would look something like (coloring lost in email):
blint@lyra:~/blah/syslog-ng-ose-mainline-3.4$ ./bin/pdbtool debug-id -p /var/tmp/patterndb/system-bind.xml -r "b57a384f-c8be-41e9-bc10-735695dc63e7" Pattern matching part: unexpected RCODE (REFUSED) resolving @QSTRING:.dict.arpa=hushmail.com/AAAA/IN@:@QSTRING:.dict.src=203.197.12.30@deliberately freaked up test message 53 Matching part: unexpected RCODE (REFUSED) resolving 'hushmail.com/AAAA/IN': 203.197.12.30# Values: MESSAGE=unexpected RCODE (REFUSED) resolving 'hushmail.com/AAAA/IN': 203.197.12.30#deliberately freaked up test message 53 PROGRAM=named .classifier.class=unknown
The patch is against 3.4, but should apply to 3.3 as well.
Balint
commit 93ca04700f8706643fedea51936af02daa314766 Author: Balint Kovacs<blint@balabit.hu> Date: Mon Aug 15 11:07:50 2011 +0200
[pdbtool] Implemented debug-id option
Added a new option to pdbtool to test a specific rule against its example message with colorizing debug turned on.
Signed-off-by: Balint Kovacs<blint@balabit.hu>
diff --git a/modules/dbparser/pdbtool.c b/modules/dbparser/pdbtool.c index 64ccd17..f64012d 100644 --- a/modules/dbparser/pdbtool.c +++ b/modules/dbparser/pdbtool.c @@ -640,6 +640,75 @@ static GOptionEntry match_options[] = { NULL, 0, 0, G_OPTION_ARG_NONE, NULL, NULL } };
+static gchar *rule_id = NULL; + +static gboolean +pdbtool_debug_id(int argc, char *argv[]) +{ + PatternDB *patterndb; + PDBExample *example; + GList *examples = NULL; + gboolean id_is_found = FALSE; + + debug_pattern = TRUE; + debug_pattern_parse = FALSE; + color_out = TRUE; + colors = full_colors; + + if (!rule_id) + { + printf("Please specify a rule ID to be tested against its example message!\n"); + return FALSE; + } + + patterndb = pattern_db_new(); + if (!pdb_rule_set_load(patterndb->ruleset, configuration, patterndb_file,&examples)) + { + pattern_db_free(patterndb); + return FALSE; + } + + while (examples) + { + example = examples->data; + + if (strcmp(example->rule->rule_id, rule_id) != 0) + { + examples = g_list_delete_link(examples, examples); + continue; + } + + id_is_found = TRUE; + + if (example->message&& example->program) + { + match_message = example->message; + match_program = example-> program; + pdbtool_match(argc, argv); + } + examples = g_list_delete_link(examples, examples); + } + + pattern_db_free(patterndb); + + if (!id_is_found) + { + printf("Could not find a corresponding ID in the patterndb file or the rule does not have an example message.\n"); + return FALSE; + } + + return TRUE; +} + +static GOptionEntry debug_id_options[] = +{ + { "pdb", 'p', 0, G_OPTION_ARG_STRING,&patterndb_file, + "Name of the patterndb file", "<patterndb_file>" }, + { "ruleid", 'r', 0, G_OPTION_ARG_STRING,&rule_id, + "ID of the patterndb rule to debug", "<rule_id>" }, + { NULL, 0, 0, G_OPTION_ARG_NONE, NULL, NULL } +}; + static gboolean test_validate = FALSE;
static gboolean @@ -934,6 +1003,7 @@ static struct { "dump", dump_options, "Dump pattern datebase tree", pdbtool_dump }, { "merge", merge_options, "Merge pattern databases", pdbtool_merge }, { "test", test_options, "Test pattern databases", pdbtool_test }, + { "debug-id", debug_id_options, "Test pattern databases", pdbtool_debug_id }, { "patternize", patternize_options, "Create a pattern database from logs", pdbtool_patternize }, { NULL, NULL }, };
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi, The patch has been line-breaked by your mailer and has become corrupt. Can you repost without linebreaks? Otherwise it looks ok, and I'd like to apply it. Thanks. On Wed, 2011-08-17 at 15:38 +0200, Balint Kovacs wrote:
Hi,
yes, that'd be much more useful indeed, also because pdbtool test sets the return code on failures, so it's better for using it in scripts. I would avoid using -p as an option tough, as it was used in earlier versions of pdbtool test for specifying the patterndb xml to be tested, so I used -r. The debug info is only printed for non-matching patterns - without giving it much thought, this seemed appropriate, but can easily be changed.
Balint
commit 1a1ccc8db55b502ea6f4c363a710fe442a3a228d Author: Balint Kovacs <blint@balabit.hu> Date: Wed Aug 17 15:00:42 2011 +0200
[pdbtool] rule-id, debug and color-out options for pdbtool test
Added options to test a specific rule against its example message with debug and colorizing.
Signed-off-by: Balint Kovacs <blint@balabit.hu>
diff --git a/modules/dbparser/pdbtool.c b/modules/dbparser/pdbtool.c index 64ccd17..1c5d818 100644 --- a/modules/dbparser/pdbtool.c +++ b/modules/dbparser/pdbtool.c @@ -641,6 +641,7 @@ static GOptionEntry match_options[] = };
static gboolean test_validate = FALSE; +static gchar *test_ruleid = NULL;
static gboolean pdbtool_test_value(LogMessage *msg, const gchar *name, const gchar *test_value) @@ -676,6 +677,7 @@ pdbtool_test(int argc, char *argv[]) gboolean failed_to_load = FALSE; gboolean failed_to_match = FALSE; gboolean failed_to_validate = FALSE; + gboolean failed_to_find_id = TRUE;
for (arg_pos = 1; arg_pos < argc; arg_pos++) { @@ -711,6 +713,18 @@ pdbtool_test(int argc, char *argv[])
if (example->message && example->program) { + + if (test_ruleid) + { + if (strcmp(example->rule->rule_id, test_ruleid) != 0) + { + examples = g_list_delete_link(examples, examples); + continue; + } + else + failed_to_find_id = FALSE; + } + msg = log_msg_new_empty(); log_msg_set_value(msg, LM_V_MESSAGE, example->message, strlen(example->message)); if (example->program && example->program[0]) @@ -719,7 +733,13 @@ pdbtool_test(int argc, char *argv[]) printf("Testing message program='%s' message='%s'\n", example->program, example->message); pattern_db_process(patterndb, msg);
- pdbtool_test_value(msg, ".classifier.rule_id", example->rule->rule_id); + if (!pdbtool_test_value(msg, ".classifier.rule_id", example->rule->rule_id) && debug_pattern) + { + match_message = example->message; + match_program = example->program; + patterndb_file = argv[arg_pos]; + pdbtool_match(0, NULL); + }
for (i = 0; example->values && i < example->values->len; i++) { @@ -739,6 +759,11 @@ pdbtool_test(int argc, char *argv[]) return 1; if (failed_to_match) return 2; + if (failed_to_find_id) + { + printf("Could not find the specified ID, or the defined rule doesn't have an example message.\n"); + return 3; + } return 0; }
@@ -746,6 +771,12 @@ static GOptionEntry test_options[] = { { "validate", 0, 0, G_OPTION_ARG_NONE, &test_validate, "Validate the pdb file against the xsd (requires xmllint from libxml2)", NULL }, + { "rule-id", 'r', 0, G_OPTION_ARG_STRING, &test_ruleid, + "Rule ID of the patterndb rule to be tested against its example", NULL }, + { "debug", 'D', 0, G_OPTION_ARG_NONE, &debug_pattern, + "Print debuging information on non-matching patterns", NULL }, + { "color-out", 'c', 0, G_OPTION_ARG_NONE, &color_out, + "Color terminal output", NULL }, { NULL, 0, 0, G_OPTION_ARG_NONE, NULL, NULL } };
On 08/17/2011 09:24 AM, Balazs Scheidler wrote:
Hi,
Looks nice, however it'd probably make more sense to do this directly in pdbtool test, wouldn't it?
e.g.
$ pdbtool test -p<id> --debug --color-out
On Mon, 2011-08-15 at 11:35 +0200, Balint Kovacs wrote:
Hi,
While working with `pdbtool test`, I found that it's quite uncomfortable to find problems with non-matching messages, as it only displays the ID of the erroneous pattern. Right now you would need to copy the example message and program name, and pass it to `pdbtool match` as arguments to find out what's the exact issue and get a nice colorized output pointing to the problematic part of the pattern.
To make that easier, I've done a small enhancement to pdbtool, an option to do a full, colorized debug output on a given rule by only supplying its ID. This would look something like (coloring lost in email):
blint@lyra:~/blah/syslog-ng-ose-mainline-3.4$ ./bin/pdbtool debug-id -p /var/tmp/patterndb/system-bind.xml -r "b57a384f-c8be-41e9-bc10-735695dc63e7" Pattern matching part: unexpected RCODE (REFUSED) resolving @QSTRING:.dict.arpa=hushmail.com/AAAA/IN@:@QSTRING:.dict.src=203.197.12.30@deliberately freaked up test message 53 Matching part: unexpected RCODE (REFUSED) resolving 'hushmail.com/AAAA/IN': 203.197.12.30# Values: MESSAGE=unexpected RCODE (REFUSED) resolving 'hushmail.com/AAAA/IN': 203.197.12.30#deliberately freaked up test message 53 PROGRAM=named .classifier.class=unknown
The patch is against 3.4, but should apply to 3.3 as well.
Balint
commit 93ca04700f8706643fedea51936af02daa314766 Author: Balint Kovacs<blint@balabit.hu> Date: Mon Aug 15 11:07:50 2011 +0200
[pdbtool] Implemented debug-id option
Added a new option to pdbtool to test a specific rule against its example message with colorizing debug turned on.
Signed-off-by: Balint Kovacs<blint@balabit.hu>
diff --git a/modules/dbparser/pdbtool.c b/modules/dbparser/pdbtool.c index 64ccd17..f64012d 100644 --- a/modules/dbparser/pdbtool.c +++ b/modules/dbparser/pdbtool.c @@ -640,6 +640,75 @@ static GOptionEntry match_options[] = { NULL, 0, 0, G_OPTION_ARG_NONE, NULL, NULL } };
+static gchar *rule_id = NULL; + +static gboolean +pdbtool_debug_id(int argc, char *argv[]) +{ + PatternDB *patterndb; + PDBExample *example; + GList *examples = NULL; + gboolean id_is_found = FALSE; + + debug_pattern = TRUE; + debug_pattern_parse = FALSE; + color_out = TRUE; + colors = full_colors; + + if (!rule_id) + { + printf("Please specify a rule ID to be tested against its example message!\n"); + return FALSE; + } + + patterndb = pattern_db_new(); + if (!pdb_rule_set_load(patterndb->ruleset, configuration, patterndb_file,&examples)) + { + pattern_db_free(patterndb); + return FALSE; + } + + while (examples) + { + example = examples->data; + + if (strcmp(example->rule->rule_id, rule_id) != 0) + { + examples = g_list_delete_link(examples, examples); + continue; + } + + id_is_found = TRUE; + + if (example->message&& example->program) + { + match_message = example->message; + match_program = example-> program; + pdbtool_match(argc, argv); + } + examples = g_list_delete_link(examples, examples); + } + + pattern_db_free(patterndb); + + if (!id_is_found) + { + printf("Could not find a corresponding ID in the patterndb file or the rule does not have an example message.\n"); + return FALSE; + } + + return TRUE; +} + +static GOptionEntry debug_id_options[] = +{ + { "pdb", 'p', 0, G_OPTION_ARG_STRING,&patterndb_file, + "Name of the patterndb file", "<patterndb_file>" }, + { "ruleid", 'r', 0, G_OPTION_ARG_STRING,&rule_id, + "ID of the patterndb rule to debug", "<rule_id>" }, + { NULL, 0, 0, G_OPTION_ARG_NONE, NULL, NULL } +}; + static gboolean test_validate = FALSE;
static gboolean @@ -934,6 +1003,7 @@ static struct { "dump", dump_options, "Dump pattern datebase tree", pdbtool_dump }, { "merge", merge_options, "Merge pattern databases", pdbtool_merge }, { "test", test_options, "Test pattern databases", pdbtool_test }, + { "debug-id", debug_id_options, "Test pattern databases", pdbtool_debug_id }, { "patternize", patternize_options, "Create a pattern database from logs", pdbtool_patternize }, { NULL, NULL }, };
-- Bazsi
Hi, sorry about that, please find the output of git-format-patch attached. Is that OK that way? Thx, Balint On 08/20/2011 01:51 PM, Balazs Scheidler wrote:
Hi,
The patch has been line-breaked by your mailer and has become corrupt. Can you repost without linebreaks?
Otherwise it looks ok, and I'd like to apply it.
Thanks.
On Wed, 2011-08-17 at 15:38 +0200, Balint Kovacs wrote:
Hi,
yes, that'd be much more useful indeed, also because pdbtool test sets the return code on failures, so it's better for using it in scripts. I would avoid using -p as an option tough, as it was used in earlier versions of pdbtool test for specifying the patterndb xml to be tested, so I used -r. The debug info is only printed for non-matching patterns - without giving it much thought, this seemed appropriate, but can easily be changed.
Balint
commit 1a1ccc8db55b502ea6f4c363a710fe442a3a228d Author: Balint Kovacs<blint@balabit.hu> Date: Wed Aug 17 15:00:42 2011 +0200
[pdbtool] rule-id, debug and color-out options for pdbtool test
Added options to test a specific rule against its example message with debug and colorizing.
Signed-off-by: Balint Kovacs<blint@balabit.hu>
diff --git a/modules/dbparser/pdbtool.c b/modules/dbparser/pdbtool.c index 64ccd17..1c5d818 100644 --- a/modules/dbparser/pdbtool.c +++ b/modules/dbparser/pdbtool.c @@ -641,6 +641,7 @@ static GOptionEntry match_options[] = };
static gboolean test_validate = FALSE; +static gchar *test_ruleid = NULL;
static gboolean pdbtool_test_value(LogMessage *msg, const gchar *name, const gchar *test_value) @@ -676,6 +677,7 @@ pdbtool_test(int argc, char *argv[]) gboolean failed_to_load = FALSE; gboolean failed_to_match = FALSE; gboolean failed_to_validate = FALSE; + gboolean failed_to_find_id = TRUE;
for (arg_pos = 1; arg_pos< argc; arg_pos++) { @@ -711,6 +713,18 @@ pdbtool_test(int argc, char *argv[])
if (example->message&& example->program) { + + if (test_ruleid) + { + if (strcmp(example->rule->rule_id, test_ruleid) != 0) + { + examples = g_list_delete_link(examples, examples); + continue; + } + else + failed_to_find_id = FALSE; + } + msg = log_msg_new_empty(); log_msg_set_value(msg, LM_V_MESSAGE, example->message, strlen(example->message)); if (example->program&& example->program[0]) @@ -719,7 +733,13 @@ pdbtool_test(int argc, char *argv[]) printf("Testing message program='%s' message='%s'\n", example->program, example->message); pattern_db_process(patterndb, msg);
- pdbtool_test_value(msg, ".classifier.rule_id", example->rule->rule_id); + if (!pdbtool_test_value(msg, ".classifier.rule_id", example->rule->rule_id)&& debug_pattern) + { + match_message = example->message; + match_program = example->program; + patterndb_file = argv[arg_pos]; + pdbtool_match(0, NULL); + }
for (i = 0; example->values&& i< example->values->len; i++) { @@ -739,6 +759,11 @@ pdbtool_test(int argc, char *argv[]) return 1; if (failed_to_match) return 2; + if (failed_to_find_id) + { + printf("Could not find the specified ID, or the defined rule doesn't have an example message.\n"); + return 3; + } return 0; }
@@ -746,6 +771,12 @@ static GOptionEntry test_options[] = { { "validate", 0, 0, G_OPTION_ARG_NONE,&test_validate, "Validate the pdb file against the xsd (requires xmllint from libxml2)", NULL }, + { "rule-id", 'r', 0, G_OPTION_ARG_STRING,&test_ruleid, + "Rule ID of the patterndb rule to be tested against its example", NULL }, + { "debug", 'D', 0, G_OPTION_ARG_NONE,&debug_pattern, + "Print debuging information on non-matching patterns", NULL }, + { "color-out", 'c', 0, G_OPTION_ARG_NONE,&color_out, + "Color terminal output", NULL }, { NULL, 0, 0, G_OPTION_ARG_NONE, NULL, NULL } };
On 08/17/2011 09:24 AM, Balazs Scheidler wrote:
Hi,
Looks nice, however it'd probably make more sense to do this directly in pdbtool test, wouldn't it?
e.g.
$ pdbtool test -p<id> --debug --color-out
On Mon, 2011-08-15 at 11:35 +0200, Balint Kovacs wrote:
Hi,
While working with `pdbtool test`, I found that it's quite uncomfortable to find problems with non-matching messages, as it only displays the ID of the erroneous pattern. Right now you would need to copy the example message and program name, and pass it to `pdbtool match` as arguments to find out what's the exact issue and get a nice colorized output pointing to the problematic part of the pattern.
To make that easier, I've done a small enhancement to pdbtool, an option to do a full, colorized debug output on a given rule by only supplying its ID. This would look something like (coloring lost in email):
blint@lyra:~/blah/syslog-ng-ose-mainline-3.4$ ./bin/pdbtool debug-id -p /var/tmp/patterndb/system-bind.xml -r "b57a384f-c8be-41e9-bc10-735695dc63e7" Pattern matching part: unexpected RCODE (REFUSED) resolving @QSTRING:.dict.arpa=hushmail.com/AAAA/IN@:@QSTRING:.dict.src=203.197.12.30@deliberately freaked up test message 53 Matching part: unexpected RCODE (REFUSED) resolving 'hushmail.com/AAAA/IN': 203.197.12.30# Values: MESSAGE=unexpected RCODE (REFUSED) resolving 'hushmail.com/AAAA/IN': 203.197.12.30#deliberately freaked up test message 53 PROGRAM=named .classifier.class=unknown
The patch is against 3.4, but should apply to 3.3 as well.
Balint
commit 93ca04700f8706643fedea51936af02daa314766 Author: Balint Kovacs<blint@balabit.hu> Date: Mon Aug 15 11:07:50 2011 +0200
[pdbtool] Implemented debug-id option
Added a new option to pdbtool to test a specific rule against its example message with colorizing debug turned on.
Signed-off-by: Balint Kovacs<blint@balabit.hu>
diff --git a/modules/dbparser/pdbtool.c b/modules/dbparser/pdbtool.c index 64ccd17..f64012d 100644 --- a/modules/dbparser/pdbtool.c +++ b/modules/dbparser/pdbtool.c @@ -640,6 +640,75 @@ static GOptionEntry match_options[] = { NULL, 0, 0, G_OPTION_ARG_NONE, NULL, NULL } };
+static gchar *rule_id = NULL; + +static gboolean +pdbtool_debug_id(int argc, char *argv[]) +{ + PatternDB *patterndb; + PDBExample *example; + GList *examples = NULL; + gboolean id_is_found = FALSE; + + debug_pattern = TRUE; + debug_pattern_parse = FALSE; + color_out = TRUE; + colors = full_colors; + + if (!rule_id) + { + printf("Please specify a rule ID to be tested against its example message!\n"); + return FALSE; + } + + patterndb = pattern_db_new(); + if (!pdb_rule_set_load(patterndb->ruleset, configuration, patterndb_file,&examples)) + { + pattern_db_free(patterndb); + return FALSE; + } + + while (examples) + { + example = examples->data; + + if (strcmp(example->rule->rule_id, rule_id) != 0) + { + examples = g_list_delete_link(examples, examples); + continue; + } + + id_is_found = TRUE; + + if (example->message&& example->program) + { + match_message = example->message; + match_program = example-> program; + pdbtool_match(argc, argv); + } + examples = g_list_delete_link(examples, examples); + } + + pattern_db_free(patterndb); + + if (!id_is_found) + { + printf("Could not find a corresponding ID in the patterndb file or the rule does not have an example message.\n"); + return FALSE; + } + + return TRUE; +} + +static GOptionEntry debug_id_options[] = +{ + { "pdb", 'p', 0, G_OPTION_ARG_STRING,&patterndb_file, + "Name of the patterndb file", "<patterndb_file>" }, + { "ruleid", 'r', 0, G_OPTION_ARG_STRING,&rule_id, + "ID of the patterndb rule to debug", "<rule_id>" }, + { NULL, 0, 0, G_OPTION_ARG_NONE, NULL, NULL } +}; + static gboolean test_validate = FALSE;
static gboolean @@ -934,6 +1003,7 @@ static struct { "dump", dump_options, "Dump pattern datebase tree", pdbtool_dump }, { "merge", merge_options, "Merge pattern databases", pdbtool_merge }, { "test", test_options, "Test pattern databases", pdbtool_test }, + { "debug-id", debug_id_options, "Test pattern databases", pdbtool_debug_id }, { "patternize", patternize_options, "Create a pattern database from logs", pdbtool_patternize }, { NULL, NULL }, };
On Mon, 2011-08-22 at 10:03 +0200, Balint Kovacs wrote:
Hi,
sorry about that, please find the output of git-format-patch attached. Is that OK that way?
yup, great. Applied to 3.4. -- Bazsi
On Mon, 2011-08-29 at 13:13 +0200, Balazs Scheidler wrote:
On Mon, 2011-08-22 at 10:03 +0200, Balint Kovacs wrote:
Hi,
sorry about that, please find the output of git-format-patch attached. Is that OK that way?
yup, great. Applied to 3.4.
since this is in pdbtool, and syslog-ng may not be affected, I've pushed this to 3.3 as well. Thanks again. -- Bazsi
On 08/29/2011 01:13 PM, Balazs Scheidler wrote:
On Mon, 2011-08-22 at 10:03 +0200, Balint Kovacs wrote:
Hi,
sorry about that, please find the output of git-format-patch attached. Is that OK that way? yup, great. Applied to 3.4. Thanks. I found a small glitch in the code, it fails to check if the ruleid was supplied at all when emitting "Rule id not found", so it always gives an errorneous warning when not using the new option. Please find the fix below (also attached as I didn't have the time yet to fix my mailer).
commit d6b94979493c4871fac712525ab9b516a824d376 Author: Balint Kovacs <blint@balabit.hu> Date: Wed Aug 31 15:30:52 2011 +0200 pdbtool: fix missing check in pdbtool test ruleid warning Signed-off-by: Balint Kovacs <blint@balabit.hu> diff --git a/modules/dbparser/pdbtool.c b/modules/dbparser/pdbtool.c index 1c5d818..35b502c 100644 --- a/modules/dbparser/pdbtool.c +++ b/modules/dbparser/pdbtool.c @@ -759,7 +759,7 @@ pdbtool_test(int argc, char *argv[]) return 1; if (failed_to_match) return 2; - if (failed_to_find_id) + if (failed_to_find_id && test_ruleid) { printf("Could not find the specified ID, or the defined rule doesn't have an example message.\n"); return 3;
participants (2)
-
Balazs Scheidler
-
Balint Kovacs