Rewrite backreference oddity
I have a rewrite rule that is used to replace private IPs that have no DNS name to an internally used name. It looks like: rewrite r_ddn { subst("172.30.60.(\d*)", "d9550-$1.example.com", value("HOST"), type("pcre")); }; For IP 172.30.60.1 I should get a HOST that is d9550-1.example.com, but what I actually get is d9550-.example.com1. Any ideas what I'm doing incorrectly? I've tried encapsulating the back reference in {}. Here's info about my syslog-ng: [root@admin 02]# syslog-ng -V syslog-ng 3.3.4 Installer-Version: 3.3.4 Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.3#master#5e44eb46b0d7b86b62f17698e2b6de875ac8d7c6 Compile-Date: Feb 17 2012 10:55:40 Default-Modules: affile,afprog,afsocket,afuser,basicfuncs,csvparser,dbparser,syslogformat Available-Modules: affile,afsocket,dummy,afsocket-tls,afprog,syslogformat,csvparser,afmongodb,confgen,afuser,basicfuncs,dbparser,convertfuncs Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: on Enable-TCP-Wrapper: on Enable-Linux-Caps: on Enable-Pcre: on
Sent: Mon Feb 27 2012 13:18:03 GMT-0500 (EST) From: Ti Leggett <leggett@mcs.anl.gov> To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Rewrite backreference oddity
I have a rewrite rule that is used to replace private IPs that have no DNS name to an internally used name. It looks like:
rewrite r_ddn { subst("172.30.60.(\d*)", "d9550-$1.example.com", value("HOST"), type("pcre")); };
For IP 172.30.60.1 I should get a HOST that is d9550-1.example.com, but what I actually get is d9550-.example.com1. Any ideas what I'm doing incorrectly? I've tried encapsulating the back reference in {}. Here's info about my syslog-ng: You shouldnt have a comma before the `type`. The config parser might be allowing this, though the general syntax used is to not have one.
Also try using `flags(store-matches)` -Patrick
Neither of those seem to help. If you notice, the back-reference is getting applied, just at the end of the string instead of where it should be. That's the really weird thing to me. On Feb 27, 2012, at 12:22 PM, Patrick Hemmer wrote:
Sent: Mon Feb 27 2012 13:18:03 GMT-0500 (EST) From: Ti Leggett <leggett@mcs.anl.gov> To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Rewrite backreference oddity
I have a rewrite rule that is used to replace private IPs that have no DNS name to an internally used name. It looks like:
rewrite r_ddn { subst("172.30.60.(\d*)", "d9550-$1.example.com", value("HOST"), type("pcre")); };
For IP 172.30.60.1 I should get a HOST that is d9550-1.example.com, but what I actually get is d9550-.example.com1. Any ideas what I'm doing incorrectly? I've tried encapsulating the back reference in {}. Here's info about my syslog-ng: You shouldnt have a comma before the `type`. The config parser might be allowing this, though the general syntax used is to not have one.
Also try using `flags(store-matches)`
-Patrick
Try with flags("store-matches" "nobackref"). On Mon, Feb 27, 2012 at 1:11 PM, Ti Leggett <leggett@mcs.anl.gov> wrote:
Neither of those seem to help. If you notice, the back-reference is getting applied, just at the end of the string instead of where it should be. That's the really weird thing to me.
On Feb 27, 2012, at 12:22 PM, Patrick Hemmer wrote:
Sent: Mon Feb 27 2012 13:18:03 GMT-0500 (EST) From: Ti Leggett <leggett@mcs.anl.gov> To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Rewrite backreference oddity
I have a rewrite rule that is used to replace private IPs that have no DNS name to an internally used name. It looks like:
rewrite r_ddn { subst("172.30.60.(\d*)", "d9550-$1.example.com", value("HOST"), type("pcre")); };
For IP 172.30.60.1 I should get a HOST that is d9550-1.example.com, but what I actually get is d9550-.example.com1. Any ideas what I'm doing incorrectly? I've tried encapsulating the back reference in {}. Here's info about my syslog-ng: You shouldnt have a comma before the `type`. The config parser might be allowing this, though the general syntax used is to not have one.
Also try using `flags(store-matches)`
-Patrick
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Oh, I didnt notice that it was at the end of the string, I just saw the empty spot. DOH! Sorry :-) Smells like a bug to me. -Patrick Sent: Mon Feb 27 2012 14:11:14 GMT-0500 (EST) From: Ti Leggett <leggett@mcs.anl.gov> To: Patrick Hemmer <syslogng@stormcloud9.net> Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Rewrite backreference oddity
Neither of those seem to help. If you notice, the back-reference is getting applied, just at the end of the string instead of where it should be. That's the really weird thing to me.
On Feb 27, 2012, at 12:22 PM, Patrick Hemmer wrote:
Sent: Mon Feb 27 2012 13:18:03 GMT-0500 (EST) From: Ti Leggett<leggett@mcs.anl.gov> To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Rewrite backreference oddity
I have a rewrite rule that is used to replace private IPs that have no DNS name to an internally used name. It looks like:
rewrite r_ddn { subst("172.30.60.(\d*)", "d9550-$1.example.com", value("HOST"), type("pcre")); };
For IP 172.30.60.1 I should get a HOST that is d9550-1.example.com, but what I actually get is d9550-.example.com1. Any ideas what I'm doing incorrectly? I've tried encapsulating the back reference in {}. Here's info about my syslog-ng: You shouldnt have a comma before the `type`. The config parser might be allowing this, though the general syntax used is to not have one.
Also try using `flags(store-matches)`
-Patrick
Oh wait! I think I see whats happening. Change your double quotes to single quotes. The substitution is changing '172.30.60.' into 'd9550-.example.com'. Not adding the match at the end (should be using a '+' instead of a '*' on that regex :-P ). The backslash isnt working because its in double quotes. The single quotes will make it work. -Patrick Sent: Mon Feb 27 2012 14:15:24 GMT-0500 (EST) From: Patrick Hemmer <syslogng@stormcloud9.net> To: Ti Leggett <leggett@mcs.anl.gov> Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Rewrite backreference oddity
Oh, I didnt notice that it was at the end of the string, I just saw the empty spot. DOH! Sorry :-) Smells like a bug to me.
-Patrick
Sent: Mon Feb 27 2012 14:11:14 GMT-0500 (EST) From: Ti Leggett<leggett@mcs.anl.gov> To: Patrick Hemmer<syslogng@stormcloud9.net> Syslog-ng users' and developers' mailing list<syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Rewrite backreference oddity
Neither of those seem to help. If you notice, the back-reference is getting applied, just at the end of the string instead of where it should be. That's the really weird thing to me.
On Feb 27, 2012, at 12:22 PM, Patrick Hemmer wrote:
Sent: Mon Feb 27 2012 13:18:03 GMT-0500 (EST) From: Ti Leggett<leggett@mcs.anl.gov> To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Rewrite backreference oddity
I have a rewrite rule that is used to replace private IPs that have no DNS name to an internally used name. It looks like:
rewrite r_ddn { subst("172.30.60.(\d*)", "d9550-$1.example.com", value("HOST"), type("pcre")); };
For IP 172.30.60.1 I should get a HOST that is d9550-1.example.com, but what I actually get is d9550-.example.com1. Any ideas what I'm doing incorrectly? I've tried encapsulating the back reference in {}. Here's info about my syslog-ng: You shouldnt have a comma before the `type`. The config parser might be allowing this, though the general syntax used is to not have one.
Also try using `flags(store-matches)`
-Patrick
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Also, I'm not sure how the parser will know that the macro is $1 and not $1.example.com (which will be undefined). I think some string concatenation might be needed to make the macro clearly delimited. On Mon, Feb 27, 2012 at 1:17 PM, Patrick Hemmer <syslogng@stormcloud9.net> wrote:
Oh wait! I think I see whats happening. Change your double quotes to single quotes. The substitution is changing '172.30.60.' into 'd9550-.example.com'. Not adding the match at the end (should be using a '+' instead of a '*' on that regex :-P ). The backslash isnt working because its in double quotes. The single quotes will make it work.
-Patrick
Sent: Mon Feb 27 2012 14:15:24 GMT-0500 (EST) From: Patrick Hemmer <syslogng@stormcloud9.net> To: Ti Leggett <leggett@mcs.anl.gov> Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Rewrite backreference oddity
Oh, I didnt notice that it was at the end of the string, I just saw the empty spot. DOH! Sorry :-) Smells like a bug to me.
-Patrick
Sent: Mon Feb 27 2012 14:11:14 GMT-0500 (EST) From: Ti Leggett<leggett@mcs.anl.gov> To: Patrick Hemmer<syslogng@stormcloud9.net> Syslog-ng users' and developers' mailing list<syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Rewrite backreference oddity
Neither of those seem to help. If you notice, the back-reference is getting applied, just at the end of the string instead of where it should be. That's the really weird thing to me.
On Feb 27, 2012, at 12:22 PM, Patrick Hemmer wrote:
Sent: Mon Feb 27 2012 13:18:03 GMT-0500 (EST) From: Ti Leggett<leggett@mcs.anl.gov> To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Rewrite backreference oddity
I have a rewrite rule that is used to replace private IPs that have no DNS name to an internally used name. It looks like:
rewrite r_ddn { subst("172.30.60.(\d*)", "d9550-$1.example.com", value("HOST"), type("pcre")); };
For IP 172.30.60.1 I should get a HOST that is d9550-1.example.com, but what I actually get is d9550-.example.com1. Any ideas what I'm doing incorrectly? I've tried encapsulating the back reference in {}. Here's info about my syslog-ng: You shouldnt have a comma before the `type`. The config parser might be allowing this, though the general syntax used is to not have one.
Also try using `flags(store-matches)`
-Patrick
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Doh! I don't know how I didn't catch this. IT also means '+' works where it didn't before. Thanks! On Feb 27, 2012, at 1:17 PM, Patrick Hemmer wrote:
Oh wait! I think I see whats happening. Change your double quotes to single quotes. The substitution is changing '172.30.60.' into 'd9550-.example.com'. Not adding the match at the end (should be using a '+' instead of a '*' on that regex :-P ). The backslash isnt working because its in double quotes. The single quotes will make it work.
-Patrick
Sent: Mon Feb 27 2012 14:15:24 GMT-0500 (EST) From: Patrick Hemmer <syslogng@stormcloud9.net> To: Ti Leggett <leggett@mcs.anl.gov> Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Rewrite backreference oddity
Oh, I didnt notice that it was at the end of the string, I just saw the empty spot. DOH! Sorry :-) Smells like a bug to me.
-Patrick
Sent: Mon Feb 27 2012 14:11:14 GMT-0500 (EST) From: Ti Leggett<leggett@mcs.anl.gov> To: Patrick Hemmer<syslogng@stormcloud9.net> Syslog-ng users' and developers' mailing list<syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Rewrite backreference oddity
Neither of those seem to help. If you notice, the back-reference is getting applied, just at the end of the string instead of where it should be. That's the really weird thing to me.
On Feb 27, 2012, at 12:22 PM, Patrick Hemmer wrote:
Sent: Mon Feb 27 2012 13:18:03 GMT-0500 (EST) From: Ti Leggett<leggett@mcs.anl.gov> To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Rewrite backreference oddity
I have a rewrite rule that is used to replace private IPs that have no DNS name to an internally used name. It looks like:
rewrite r_ddn { subst("172.30.60.(\d*)", "d9550-$1.example.com", value("HOST"), type("pcre")); };
For IP 172.30.60.1 I should get a HOST that is d9550-1.example.com, but what I actually get is d9550-.example.com1. Any ideas what I'm doing incorrectly? I've tried encapsulating the back reference in {}. Here's info about my syslog-ng: You shouldnt have a comma before the `type`. The config parser might be allowing this, though the general syntax used is to not have one.
Also try using `flags(store-matches)`
-Patrick
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (3)
-
Martin Holste
-
Patrick Hemmer
-
Ti Leggett