[syslog-ng] BUG in syslog-ng-1.6.12

Evan Rempel erempel at uvic.ca
Thu Apr 19 17:35:30 CEST 2007 

Balazs Scheidler wrote:
> On Wed, 2007-04-18 at 19:33 +0200, S. Schulz wrote:
>> Hi,
>> 1) I found a bug in syslog-ng-1.6.12.
>> If i use the MSGONLY macro the first char of the message is missing.
>>
>> Here is the patch:
>> -snip--------------------------------
>> 426,427c426,428
>> <             colon++;
>> <             ofs = (colon - (char *) msg->msg->data);
>> ---
>>>             ofs = (colon - (char *) msg->msg->data) + 2;
>>>             if (ofs > msg->msg->length)
>>>                 ofs = msg->msg->length;
>> -snap--------------------------------
> 
> Yes, this indeed seems to be a bug, but this does not seem to affect
> 2.0.x tree. Do you have some reasons to stick with 1.6.x?
> 
>> 2) And I have an other problem with a regexp in a filter.
>> I want to log all messages that contains the "[ERR]" string to a separate err log.
>> My filter, destination and log looks like this:
>>  filter f_usererr { facility(user) and match('\[ERR\]'); };
>>  destination d_usererr {file("/var/log/$SOURCEIP_$PROGRAM.err"); };
>>  log { source(s_net); filter(f_usererr); destination(d_usererr); };
>>
>> What I get is a line like
>>  test[1234]:[ERR] fopen failed
>> but also
>>  test[1234]:Event 1
>> or
>>  test[1234]:Released
>>
>> So it seems to be that the backslash before the [ is ignored.
>> If I change the filter to
>>  filter f_usererr { facility(user) and match('ERR\]'); };
>> I get only the line
>>  test[1234]:[ERR] fopen failed
>> as expected
> 
> you need double backslashes as the first one is absorbed by the
> configuration parser to be able to escape apostrophes. If you need a
> real backslash, you need to double them like:
> 
> match('\\[ERR\\]')
> 
>> 3) And I have a third problem with creation of a filename based on the IP
>>  destination d_usererr {file("/var/log/$SOURCEIP_$PROGRAM.err"); };
>> The created filename is "/var/log/bla.err" and the $SOURCEIP is missing
> 
> yes, because '_' is taken part of a word and thus syslog-ng tries to
> substitute the macro named "SOURCEIP_" which obviously does not exist.
> 
> syslog-ng 2.0 provides an alternative, shell-like expansion syntax:
> 
> destination d_usererr {file("/var/log/${SOURCEIP_}$PROGRAM.err"); };

Just a typo, I think you meant

destination d_usererr {file("/var/log/${SOURCEIP}_$PROGRAM.err"); };

so that the underscore is NOT interpreted as part of the macro variable name to expand.

> 
> Alternatively use something different than '_'
> 
>> If I change the destination to
>>  destination d_usererr {file("/var/log/$SOURCEIP-$PROGRAM.err"); };
>> the created filename is "/var/log/192.168.1.1-bla.err" as expected
> 
> see above.
> 


-- 
Evan Rempel                erempel at uvic.ca
Senior Programmer Analyst        250.721.7691
Computing Services
University of Victoria

More information about the syslog-ng mailing list