[Bug 228] New: match regex not working
https://bugzilla.balabit.com/show_bug.cgi?id=228 Summary: match regex not working Product: syslog-ng Version: 3.3.x Platform: PC OS/Version: Linux Status: NEW Severity: critical Priority: unspecified Component: syslog-ng AssignedTo: bazsi@balabit.hu ReportedBy: blackluck@ktk.bme.hu Type of the Report: bug Estimated Hours: 0.0 Sziasztok! Ubuntu 8.04 lts-rol megfelelo lepesekben frissitve lett rendszer 12.04 lts-re, abban talalhato syslog-ng 3.3.4 -ben nem mukodik jol a match regex szures. Konkretan ugy viselkedik hogy sima stringre szures csak akkor ervenyesul ha bejovo logban string elott van space. Filter: filter f_EQAM_BW_OVERSUB { netmask("172.18.96.0/255.255.224.0") and match("Bandwidth Oversubscribed" value("MESSAGE")); }; ha netcat-el kuldok bele teszt uzenetet, csak akkor ervenyeul a filter ha van szokoz a keresett szoveg es az elotte talalhato tartalom kozott, pl : "test Bandwidth Oversubscribed" mukodik "testBandwidth Oversubscribed" nem mukodik Korabban 8.04-es ubuntu alatt ez mukodott rendben (csak akkor match-nek nem kellett megadni a value("MESSAGE") reszt), szintaktikai hibat nem ad a konfigra. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=228 Balazs Scheidler <bazsi@balabit.hu> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution| |INVALID Status|NEW |RESOLVED --- Comment #1 from Balazs Scheidler <bazsi@balabit.hu> 2013-03-13 11:45:59 --- Hi, Please note that the use of English is preferred in this bugzilla, I'll try to translate both your question and my response. (In reply to comment #0)
Sziasztok!
Ubuntu 8.04 lts-rol megfelelo lepesekben frissitve lett rendszer 12.04 lts-re, abban talalhato syslog-ng 3.3.4 -ben nem mukodik jol a match regex szures. Konkretan ugy viselkedik hogy sima stringre szures csak akkor ervenyesul ha bejovo logban string elott van space. Filter: filter f_EQAM_BW_OVERSUB { netmask("172.18.96.0/255.255.224.0") and match("Bandwidth Oversubscribed" value("MESSAGE")); };
ha netcat-el kuldok bele teszt uzenetet, csak akkor ervenyeul a filter ha van szokoz a keresett szoveg es az elotte talalhato tartalom kozott, pl : "test Bandwidth Oversubscribed" mukodik "testBandwidth Oversubscribed" nem mukodik
The question (summary): that syslog-ng 3.3.4 in ubuntu 12.04 seems to interpret the match() filter incorrectly, it matches if there's a space in front of the pattern, and doesn't work otherwise. My answer: in syslog-ng 3.0, the content matched by match() has changed, if you also add the "@version" tag into your configuration file. In versions prior to 3.0, match() matched against the whole "$PROGRAM[$PID]: $MESSAGE" value, while with the match() specification above, it only matches against the $MESSAGE part. You can continue to use "@version: 2.0", but that's not recommended. There should have been a warning about the change, when you first started syslog-ng with the original configuration file. Since the first word is interpreted as the PROGRAM value for syslog formatted data (unless no-parse is specified), your 'test' string is stuffed into $PROGRAM, but only if there's a space. If there's no space, your $PROGRAM will become "testBandwidth" and $MESSAGE becomes "Oversubscribed". If you are not really processing syslog data, you should probably specify flags(no-parse) on the input, which causes syslog-ng to put everything into $MESSAGE and your filter expression will work. All in all, this doesn't seem to be a bug to me, but please reopen if you disagree. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
participants (1)
-
bugzilla@bugzilla.balabit.com