Re: [syslog-ng] escaping \[ not respected
Hello,
targeted string is "unknown[a.b.c.d]"
my filter:
filter f_conn_from_unk_private { not match ("unknown\[(10\.1\.|10\.2\.|10\.10\.5\.|192\.168\.200)"); };
error:
Error compiling regular expression; re='[(10.1.|10.2.|10.10.5.|192.168.200)', error='brackets ([ ]) not balanced'
I can't confirm this behaviour, as the following does work for me:
filter f_internal_statistics { match("^syslog-ng\[[[:digit:]]+.: STATS") or match ("^syslog-ng\[[[:digit:]]+\]: Log statistics"); };
What syslog-ng version are you using? Mine is 2.0.9
Installed with FreeBSD pkg_add from freshports.org, pkg_info shows: "syslog-ng2-2.0.9_1 A powerful syslogd replacement" I conclude that I've found a bug in the parsing of the escape sequence "\[" , and will look for a work around. thanks, Len ______________________________________________ IMGate OpenSource Mail Firewall www.IMGate.net
Maybe you need to quote the \ to pass it through to lower layers. Just a thought. Try this: filter f_conn_from_unk_private { not match("unknown\\\[(10\.1\.|10\.2\.|10\.10\.5\.|192\.168\.200)"); }; -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Len Conrad Sent: 01 October 2008 13:57 To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] escaping \[ not respected
Hello,
targeted string is "unknown[a.b.c.d]"
my filter:
filter f_conn_from_unk_private { not match ("unknown\[(10\.1\.|10\.2\.|10\.10\.5\.|192\.168\.200)"); };
error:
Error compiling regular expression; re='[(10.1.|10.2.|10.10.5.|192.168.200)', error='brackets ([ ]) not balanced'
I can't confirm this behaviour, as the following does work for me:
filter f_internal_statistics { match("^syslog-ng\[[[:digit:]]+.: STATS") or match ("^syslog-ng\[[[:digit:]]+\]: Log statistics"); };
What syslog-ng version are you using? Mine is 2.0.9
Installed with FreeBSD pkg_add from freshports.org, pkg_info shows: "syslog-ng2-2.0.9_1 A powerful syslogd replacement" I conclude that I've found a bug in the parsing of the escape sequence "\[" , and will look for a work around. thanks, Len ______________________________________________ IMGate OpenSource Mail Firewall www.IMGate.net ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
I think you've nailed it here. My understanding is that Syslog-NG does it's own backslash escaping before passing the string to the regex engine which then does the regex backslash escaping. That means you need to double your backslash in those cases. I've also found this to be the case for periods and carrots. If you do '\.' it will still match any character as syslog-ng strips the first backslash before passing through the regex. To match a real period you need to do '\\.' (same with '\^', to match a real carrot you need '\\^'). I don't remember if, or how well, this is documented. I know it kicked my butt pretty good until I figured out that I needed to backslash escape the backslash escape in a regex, though. Specifically, when using single escaped periods, I was getting bitten with IP address regex's that were inexplicably matching things they shouldn't be. -- Christopher Cashell Fegan, Joe did thus speak on 10/1/2008 10:23 AM:
Maybe you need to quote the \ to pass it through to lower layers. Just a thought. Try this:
filter f_conn_from_unk_private { not match("unknown\\\[(10\.1\.|10\.2\.|10\.10\.5\.|192\.168\.200)"); };
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Len Conrad Sent: 01 October 2008 13:57 To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] escaping \[ not respected
Hello,
targeted string is "unknown[a.b.c.d]"
my filter:
filter f_conn_from_unk_private { not match ("unknown\[(10\.1\.|10\.2\.|10\.10\.5\.|192\.168\.200)"); };
error:
Error compiling regular expression; re='[(10.1.|10.2.|10.10.5.|192.168.200)', error='brackets ([ ]) not balanced'
I can't confirm this behaviour, as the following does work for me:
filter f_internal_statistics { match("^syslog-ng\[[[:digit:]]+.: STATS") or match ("^syslog-ng\[[[:digit:]]+\]: Log statistics"); };
What syslog-ng version are you using? Mine is 2.0.9
Installed with FreeBSD pkg_add from freshports.org, pkg_info shows:
"syslog-ng2-2.0.9_1 A powerful syslogd replacement"
I conclude that I've found a bug in the parsing of the escape sequence "\[" , and will look for a work around.
thanks, Len
______________________________________________ IMGate OpenSource Mail Firewall www.IMGate.net
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
I'm Ccing the documentation team to check how well this is covered in the docs. I'd welcome alternative syntaxes that'd prevent having to do double escaping. I was thinking about the slash syntax like: Perl style: match(/no need to escape here\./) the problem is that with 3.0 we have PCRE in which case it would become: match(/pattern/ type(pcre)) which is not too perlish anymore. What about Python style: match("""no need to escape here\.""" The drawback with this is that Python does escaping in multiline string literals. Do you have any more alternatives in mind? On Wed, 2008-10-01 at 10:35 -0500, Christopher Cashell wrote:
I think you've nailed it here. My understanding is that Syslog-NG does it's own backslash escaping before passing the string to the regex engine which then does the regex backslash escaping. That means you need to double your backslash in those cases.
I've also found this to be the case for periods and carrots. If you do '\.' it will still match any character as syslog-ng strips the first backslash before passing through the regex. To match a real period you need to do '\\.' (same with '\^', to match a real carrot you need '\\^').
I don't remember if, or how well, this is documented. I know it kicked my butt pretty good until I figured out that I needed to backslash escape the backslash escape in a regex, though. Specifically, when using single escaped periods, I was getting bitten with IP address regex's that were inexplicably matching things they shouldn't be.
-- Bazsi
One option would be to use the kind quotes ' vs " to determine whether to escape or not. I believe bash (and maybe perl) does this kind of thing when handling strings.
Balazs Scheidler <bazsi@balabit.hu> 10/02/08 4:47 AM >>> I'm Ccing the documentation team to check how well this is covered in the docs.
I'd welcome alternative syntaxes that'd prevent having to do double escaping. I was thinking about the slash syntax like: Perl style: match(/no need to escape here\./) the problem is that with 3.0 we have PCRE in which case it would become: match(/pattern/ type(pcre)) which is not too perlish anymore. What about Python style: match("""no need to escape here\.""" The drawback with this is that Python does escaping in multiline string literals. Do you have any more alternatives in mind? On Wed, 2008-10-01 at 10:35 -0500, Christopher Cashell wrote:
I think you've nailed it here. My understanding is that Syslog-NG does it's own backslash escaping before passing the string to the regex engine which then does the regex backslash escaping. That means you need to double your backslash in those cases.
I've also found this to be the case for periods and carrots. If you do '\.' it will still match any character as syslog-ng strips the first backslash before passing through the regex. To match a real period you need to do '\\.' (same with '\^', to match a real carrot you need '\\^').
I don't remember if, or how well, this is documented. I know it kicked my butt pretty good until I figured out that I needed to backslash escape the backslash escape in a regex, though. Specifically, when using single escaped periods, I was getting bitten with IP address regex's that were inexplicably matching things they shouldn't be.
-- Bazsi ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
On Thu, 2008-10-02 at 09:12 +1300, chris packham wrote:
One option would be to use the kind quotes ' vs " to determine whether to escape or not. I believe bash (and maybe perl) does this kind of thing when handling strings.
Yeah, the problem is with compatibility, ' and " style quoting has been working this way for about a decade, changing that would break a lot of configurations. I should have made this decision back then, but changing this now is not really possible I think.
-- Bazsi
participants (5)
-
Balazs Scheidler
-
chris packham
-
Christopher Cashell
-
Fegan, Joe
-
Len Conrad