[Bug 262] New: patterndb: Computed <values> are not expanded in context-id
https://bugzilla.balabit.com/show_bug.cgi?id=262 Summary: patterndb: Computed <values> are not expanded in context-id Product: syslog-ng Version: 3.5.x Platform: PC OS/Version: Linux Status: NEW Severity: normal Priority: unspecified Component: syslog-ng AssignedTo: bazsi@balabit.hu ReportedBy: bugzilla.balabit@faxm0dem.org Type of the Report: --- Estimated Hours: 0.0 Created an attachment (id=87) --> (https://bugzilla.balabit.com/attachment.cgi?id=87) patterndb ruleset It seems the values are not being expanded as expected in the context-id: -- pdbtool test /tmp/test.pdb -vd Module loaded and initialized successfully; module='syslogformat' Module loaded and initialized successfully; module='basicfuncs' Testing message program='' message='the big "brown" fox' patterndb rule matches; rule_id='A' Advancing patterndb current time because of an incoming message; utc='-1' Correllation context lookup failure, starting a new context; rule='A', context='brown.', context_timeout='0', context_expiration='-1' Match name='.classifier.rule_id', value='A', expected='A' Match name='matched.var', value='brown', expected='brown' -- as you can see, context-id='brown.' instead of 'brown.brown' as expected by expanding '${matched.var}.${computed.var}' -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=262 Gergely Nagy <algernon@balabit.hu> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |algernon@balabit.hu AssignedTo|bazsi@balabit.hu |algernon@balabit.hu -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=262 Gergely Nagy <algernon@balabit.hu> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=262 --- Comment #1 from Gergely Nagy <algernon@balabit.hu> 2013-12-19 12:02:47 --- This happens because the actions are not applied to the message when a corellation context lookup failure happens. I'm not entirely sure how this works inside syslog-ng... if the message gets reprocessed after a new context is started, then all is well. If not, that's a bug... But until I figure that out, I can't properly fix this issue, because even though applying the rules earlier does seem to fix the problem, I have no idea what other, possibly unwanted side-effects this change may have. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=262 --- Comment #2 from Gergely Nagy <algernon@balabit.hu> 2013-12-19 12:16:48 --- To clarify, calling pdb_message_apply() sooner will fix this. That applies tags and values, but it's also called a bit later anyway. Calling it later is desirable, as the context is set up there, while it is not at the time the message in question is printed. When called twice, the second should overwrite the values properly, but that can't be guaranteed with the current code. So what I think would be best, is to move the printing of the message to a later time, and delay it a little. There's no return point between the two places anyway. This way, we'd have variables expanded, and wouldn't have to worry about expanding them twice for no good reason, at the cost of printing the message a tiny bit later. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=262 --- Comment #3 from Gergely Nagy <algernon@balabit.hu> 2013-12-20 23:40:32 --- Right, so the problem is that context-id and the <values> section can be inter-dependent, and there's no sane way to break that dependency up without potential breakage elsewhere, not while keeping the current syntax as-is. However, it is possible to introduce <context-values> (or something better named), which get applied before context-id is calculated. Would that be an acceptable solution? -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
participants (1)
-
bugzilla@bugzilla.balabit.com