[syslog-ng]Re: syslog-ng filter order patch

Balazs Scheidler bazsi@balabit.hu
Wed, 29 Nov 2000 10:36:45 +0100


Hi,

I've read your posting and had a quick glance at your patch. I've applied it
now with a few changes:

1) I changed the list append routine to append at the end of the list, so
default statements should go last
2) the patch didn't unref the message it was distributing, so syslog-ng may
become a memory hog quickly.
3) I branch the 1.4.x tree to 1.5.x and apply this patch there.

Expect an 1.4.10 and 1.5.0 release soon.

> Balazs, this is the patch for syslog-ng I posted to the list the other day,
> I was wondering if you'd take a quick look if you haven't been reading the
> list..
> 
> I've have this working against 1.4.9a (with the 1.4.9a patch from the
> mailing list also applied, which I needed to stop logs being mixed up on my
> RedHat 6.2/Linux 2.2.16 box).
> 
> This patch changes only the order of evaluation of rules in the log{} lines
> 
> Since the only time you check to see if a log entry has 'already matched' is
> when you test for the DEFAULT filter, if you have a rule with no filter,
> your logic will cause the DEFAULT filter to never be handled, because
> "everything has matched" and do_distribute_log forces DEFAULT to be handled
> last.
> 
> The patch just makes the filters get evaluated in the order they appear in
> the linked list, which allows configurations like the following:
> 
> log { source(s_sys); destination(d_tty12); };
> log { source(s_sys); filter(DEFAULT); destination(d_mesg); };
> log { source(s_sys); filter(f_PAM); destination(d_pam); };
> log { source(s_sys); filter(f_auth); destination(d_auth); };
> log { source(s_sys); filter(f_filter4); destination(d_mail); };
> 
> To have a 'match everything from s_sys' to go to my /dev/tty12 for console
> debugging, as well as match a default rule, since the DEFAULT is evaluated
> before the rule without a filter.
> 
> The patch was written by my workmate, Matthew Melvin
> (matthewm@staff.webcentral.com.au)
> 
> --snip--
> 
> --- src/center.c.old        Mon Nov 27 14:20:14 2000
> +++ src/center.c    Mon Nov 27 15:08:38 2000
> @@ -71,14 +71,21 @@
>  static void do_distribute_log(struct log_handler *c, struct log_info *msg)
>  {
>         CAST(log_center, self, c);
> -       struct log_connection *p, *def_connection = NULL;
> +       struct log_connection *p;
>         int match = 0;
> 
>         for (p = self->connections; p; p = p->next) {
>                 struct log_endpoint_info *s;
> 
>                 if (p->flags & LOG_CONN_DEFAULT) {
> -                       def_connection = p;
> +                       struct log_endpoint_info *d;
> +                       if (match) continue;
> +                       for (d = p->nodes; d; d = d->next) {
> +                               if (d->type == EP_DESTINATION) {
> +                                       assert(d->ref);
> +                                       HANDLE_LOG(d->ref,
> log_info_use(msg));
> +                               }
> +                       }
>                         continue;
>                 }
>                 for (s = p->nodes; s; s = s->next) {
> @@ -107,16 +114,6 @@
> 
>         next_connection:
>         }
> -       if (!match && def_connection) {
> -               struct log_endpoint_info *d;
> -               for (d = def_connection->nodes; d; d = d->next) {
> -                       if (d->type == EP_DESTINATION) {
> -                               assert(d->ref);
> -                               HANDLE_LOG(d->ref, log_info_use(msg));
> -                       }
> -               }
> -       }
> -       log_info_free(msg);
>  }
> 
>  struct log_handler *make_log_center(struct log_connection *connections)
> 
> --snip--
> 
> 
> --
> Andrew Fort

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
     url: http://www.balabit.hu/pgpkey.txt