[syslog-ng] BUG in syslog-ng-1.6.12

Balazs Scheidler bazsi at balabit.hu
Thu Apr 19 12:42:43 CEST 2007 

On Wed, 2007-04-18 at 19:33 +0200, S. Schulz wrote:
> Hi,
> 1) I found a bug in syslog-ng-1.6.12.
> If i use the MSGONLY macro the first char of the message is missing.
> 
> Here is the patch:
> -snip--------------------------------
> 426,427c426,428
> <             colon++;
> <             ofs = (colon - (char *) msg->msg->data);
> ---
> >             ofs = (colon - (char *) msg->msg->data) + 2;
> >             if (ofs > msg->msg->length)
> >                 ofs = msg->msg->length;
> -snap--------------------------------

Yes, this indeed seems to be a bug, but this does not seem to affect
2.0.x tree. Do you have some reasons to stick with 1.6.x?

> 
> 2) And I have an other problem with a regexp in a filter.
> I want to log all messages that contains the "[ERR]" string to a separate err log.
> My filter, destination and log looks like this:
>  filter f_usererr { facility(user) and match('\[ERR\]'); };
>  destination d_usererr {file("/var/log/$SOURCEIP_$PROGRAM.err"); };
>  log { source(s_net); filter(f_usererr); destination(d_usererr); };
> 
> What I get is a line like
>  test[1234]:[ERR] fopen failed
> but also
>  test[1234]:Event 1
> or
>  test[1234]:Released
> 
> So it seems to be that the backslash before the [ is ignored.
> If I change the filter to
>  filter f_usererr { facility(user) and match('ERR\]'); };
> I get only the line
>  test[1234]:[ERR] fopen failed
> as expected

you need double backslashes as the first one is absorbed by the
configuration parser to be able to escape apostrophes. If you need a
real backslash, you need to double them like:

match('\\[ERR\\]')

> 
> 3) And I have a third problem with creation of a filename based on the IP
>  destination d_usererr {file("/var/log/$SOURCEIP_$PROGRAM.err"); };
> The created filename is "/var/log/bla.err" and the $SOURCEIP is missing

yes, because '_' is taken part of a word and thus syslog-ng tries to
substitute the macro named "SOURCEIP_" which obviously does not exist.

syslog-ng 2.0 provides an alternative, shell-like expansion syntax:

destination d_usererr {file("/var/log/${SOURCEIP_}$PROGRAM.err"); };

Alternatively use something different than '_'

> 
> If I change the destination to
>  destination d_usererr {file("/var/log/$SOURCEIP-$PROGRAM.err"); };
> the created filename is "/var/log/192.168.1.1-bla.err" as expected

see above.

-- 
Bazsi

More information about the syslog-ng mailing list