[Bug 140] New: syslog-ng ignores filter boolean logic
https://bugzilla.balabit.com/show_bug.cgi?id=140 Summary: syslog-ng ignores filter boolean logic Product: syslog-ng Version: 3.3.x Platform: PC OS/Version: Linux Status: NEW Severity: major Priority: unspecified Component: syslog-ng AssignedTo: bazsi@balabit.hu ReportedBy: lisaev@umail.iu.edu Type of the Report: --- Estimated Hours: 0.0 Created an attachment (id=42) --> (https://bugzilla.balabit.com/attachment.cgi?id=42) syslog-ng 3.3.1 config file I am running syslog-ng 3.3.1 (arch linux), and noticed that my iptables logs go into every possible logfile, i.e. /var/log/{messages,kernel,iptables}.log. For example: cur_work$ tail -n1 /var/log/kernel.log Oct 23 12:43:18 linhost kernel: [ 5372.600518] firewall: IN=wlan0 OUT= MAC=00:26:c6:d7:27:6a:00:17:0f:70:b1:00:08:00 SRC=74.125.65.108 DST=96.125.23.251 LEN=40 TOS=0x00 PREC=0x00 TTL=43 ID=28546 PROTO=TCP SPT=993 DPT=52331 WINDOW=0 RES=0x00 RST URGP=0 This is despite the fact that syslog-ng.conf contains filter f_iptables { match("IN=" value("MESSAGE")) and match("OUT=" value("MESSAGE")); }; filter f_kernel { facility(kern) and not filter(f_iptables); }; I also tried modifying f_iptables as filter f_iptables { match("firewall" value("MESSAGE")); }; but still get firewall logs everywhere :( I add the full syslog-ng.conf as an attachment. Thanks. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=140 Balazs Scheidler <bazsi@balabit.hu> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution| |FIXED Status|NEW |RESOLVED --- Comment #1 from Balazs Scheidler <bazsi@balabit.hu> 2011-10-23 20:22:08 --- thanks for the report. I could successfully reproduce and fix the issue. Since my VPN key has just expired, I'm unable to push the patch to the git tree, I'm attaching it to the ticket. Here's the patch summary for future reference: commit 4b438115f6387eb52b6c39c1f751ecf0c4a5ac5f Author: Balazs Scheidler <bazsi@balabit.hu> Date: Sun Oct 23 20:19:58 2011 +0200 filters: fixed filter() evaluation when embedded as an AND/OR subexpression When introducing the "init" method for filters one case was omitted: even though AND and OR expressions don't want to do anything on init, their subexpressions might, so this patch adds an init function to AND and OR which does nothing but calls the same for its "left" and "right" subexpression. This patch fixes filter("xxx") expression evaluation when that is not a single expression, but rather included in an AND or OR. Reported-By: Leonid Isaev <lisaev@umail.iu.edu> Cc: <syslog-ng-stable@balabit.hu> Signed-off-by: Balazs Scheidler <bazsi@balabit.hu> -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=140 --- Comment #2 from Balazs Scheidler <bazsi@balabit.hu> 2011-10-23 20:22:38 --- Created an attachment (id=43) --> (https://bugzilla.balabit.com/attachment.cgi?id=43) bugfix -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=140 --- Comment #3 from Leonid Isaev <lisaev@umail.iu.edu> 2011-10-24 17:58:41 --- That was fast. Thank you! -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
participants (1)
-
bugzilla@bugzilla.balabit.com