[syslog-ng] BUG in syslog-ng-1.6.12

[S. Schulz]

Hi,
1) I found a bug in syslog-ng-1.6.12.
If i use the MSGONLY macro the first char of the message is missing.

Here is the patch:
-snip--------------------------------
426,427c426,428
<             colon++;
<             ofs = (colon - (char *) msg->msg->data);
---
>             ofs = (colon - (char *) msg->msg->data) + 2;
>             if (ofs > msg->msg->length)
>                 ofs = msg->msg->length;
-snap--------------------------------

2) And I have an other problem with a regexp in a filter.
I want to log all messages that contains the "[ERR]" string to a separate err log.
My filter, destination and log looks like this:
 filter f_usererr { facility(user) and match('\[ERR\]'); };
 destination d_usererr {file("/var/log/$SOURCEIP_$PROGRAM.err"); };
 log { source(s_net); filter(f_usererr); destination(d_usererr); };

What I get is a line like
 test[1234]:[ERR] fopen failed
but also
 test[1234]:Event 1
or
 test[1234]:Released

So it seems to be that the backslash before the [ is ignored.
If I change the filter to
 filter f_usererr { facility(user) and match('ERR\]'); };
I get only the line
 test[1234]:[ERR] fopen failed
as expected

3) And I have a third problem with creation of a filename based on the IP
 destination d_usererr {file("/var/log/$SOURCEIP_$PROGRAM.err"); };
The created filename is "/var/log/bla.err" and the $SOURCEIP is missing

If I change the destination to
 destination d_usererr {file("/var/log/$SOURCEIP-$PROGRAM.err"); };
the created filename is "/var/log/192.168.1.1-bla.err" as expected

Best regards
Stefan Schulz

-- 
"Feel free" - 10 GB Mailbox, 100 FreeSMS/Monat ...
Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail
-------------- next part --------------
A non-text attachment was scrubbed...
Name: syslog-ng-1.6.12-macros.c.diff
Type: application/octet-stream
Size: 199 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20070418/e941c30e/syslog-ng-1.6.12-macros.c.obj