[syslog-ng] Bug report: host variables translated differently in templates than in regex

Balazs Scheidler bazsi at balabit.hu
Mon Oct 17 13:10:51 CEST 2005 

On Mon, 2005-10-17 at 12:40 +1300, Jason Haar wrote:
> Hi there
> 
> I brought this up a couple of weeks ago ("How does regex work with HOST
> definitions?") and I now think it's a bug.
> 
> Basically if you call HOST as part of a template call such as:
> 
> template("$R_ISODATE $HOST $FACILITY $PRIORITY $MSG\n")
> 
> or
> 
> file("/var/log/syslog/$HOST/$YEAR/$MONTH/$DAY")
> 
> then HOST is *the first syslog client* sending the syslog record
> (assuming keep_hostname is set). i.e. HOST might be the actual client
> that physically sent the record - or it might be the client gatewayed
> through a previous syslog server.
> 
> However, if you are referring to the remote syslog client via a regex in
> a filter, such as
> 
> filter f_process_TIBS { host("-ids-") }
> 
> 
> then it appears that "host" is literally *the last syslog client* -
> instead of *the first syslog client*. e.g. if you have a syslog client
> (clientA) that forwards to serverB, and serverB forwards to serverC,
> then for a particular clientA record, HOST on serverC is "clientA", but
> "host" refers to "serverB".

I don't see how this could be the case. $HOST is expanded to the same
value as is used for host() filtering, more specifically 
"struct log_info->host"

Filtering:
static int do_filter_host(struct filter_expr_node *c,
                          struct log_filter *rule UNUSED,
                          struct log_info *log)
{
        CAST(filter_expr_re, self, c);
        return (!regexec(&self->regex, (char *) log->host->data, 0, NULL, 0)) ^
c->comp;
}        

Macro expansion:

	case M_HOST: {
                /* host */
                struct ol_string *host = (id == M_HOST ? msg->host : msg->host_from);
                UINT8 *p1;
                UINT8 *p2;
                int remaining;

                p1 = memchr(host->data, '@', host->length);
                if (p1)
                        p1++;
                else
                        p1 = host->data;
                remaining = host->length - (p1 - host->data);
                p2 = memchr(p1, '/', remaining);
                if (p2) {
                        length = LIBOL_MIN((unsigned int) (p2 - p1), *left);
                }
                else {
                        length = LIBOL_MIN(*left, (unsigned int) (host->length - (p1 - host->data)));
                }
                length = append_string(dest, left, (char *) p1, length, escape);
                break;
        }


The long code in the macro expansion does nothing but strip off everything 
before '@' and after the first '.' (but there's $FULLHOST which does not do this)


-- 
Bazsi

More information about the syslog-ng mailing list