[syslog-ng] Variables in PatternDB - what am I doing wrong?
Balazs Scheidler
bazsi at balabit.hu
Sat Nov 12 13:27:26 CET 2011
On Wed, 2011-11-09 at 22:34 +0100, Balazs Scheidler wrote:
> On Fri, 2011-11-04 at 10:49 +0000, Daniel Ankers wrote:
> > Hi,
> > I've got the following as part of my ruleset:
> >
> > <!-- Match and suppress %TCP-6-BADAUTH messages -->
> > <rule id='def42cfb-4364-4cfd-bbf1-cdf4f0bc3c88' class='lowpri'
> > context-id="badauth-${badauth.errorsrc}" context-timeout='600'
> > context-scope='host'>
> > <patterns>
> > <pattern>%TCP-6-BADAUTH: No MD5 digest from
> > @IPvANY:badauth.errorsrc:@(@NUMBER::@) to
> > @IPvANY:badauth.errordst:@(@NUMBER::@) (RST)</pattern>
> > </patterns>
> > <examples>
> > <example>
> > <test_message program='patternize'>%TCP-6-BADAUTH: No
> > MD5 digest from 195.66.XXX.XX(179) to 195.66.YYYY.YY(56561)
> > (RST)</test_message>
> > </example>
> > <example>
> > <test_message program='patternize'>%TCP-6-BADAUTH: No
> > MD5 digest from 2001:7F8:X::abcd:1(179) to 2001:7F8:X::1234:1(21296)
> > (RST)</test_message>
> > </example>
> > </examples>
> > <actions>
> > <action trigger='match'>
> > <message>
> > <values>
> > <value name='MESSAGE'>$(if ("${badauth.errorsrc}@1" eq
> > "${badauth.errorsrc}@2") "Duplicate" "First") BGP Authentication Error
> > to neighbour ${badauth.errorsrc}@1 - last one was
> > ${badauth.errorsrc}@2</value>
> > </values>
> > </message>
> > </action>
> > </actions>
> > </rule>
> > <!-- End %TCP-6-BADAUTH -->
> >
> > When I feed example messages in from a file, I expect to see something
> > like the following:
> > Nov 4 10:40:54 syslog First BGP Authentication Error to neighbour
> > 2001:7F8:X::abcd:1 - last one was
> > Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour
> > 2001:7F8:X::abcd:1 - last one was 2001:7F8:X::abcd:1
> > Nov 4 10:40:54 syslog First BGP Authentication Error to neighbour
> > 195.66.Y.Z - last one was
> > Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour
> > 195.66.Y.Z - last one was 195.66.Y.Z
> > Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour
> > 195.66.Y.Z - last one was 195.66.Y.Z
> > Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour
> > 195.66.Y.Z - last one was 195.66.Y.Z
> >
> > Instead I see:
> > Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour
> > 2001:7F8:X::abcd:1 - last one was
> > Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour
> > 2001:7F8:X::abcd:1 - last one was 2001:7F8:4::abcd:1
> > Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour
> > 195.66.Y.Z - last one was
> > Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour
> > 195.66.Y.Z - last one was 195.66.Y.Z
> > Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour
> > 195.66.Y.Z - last one was 195.66.Y.Z
> > Nov 4 10:40:54 syslog Duplicate BGP Authentication Error to neighbour
> > 195.66.Y.Z - last one was 195.66.Y.Z
> >
> > What am I getting wrong with the "if" function?
> >
> >
> > The background to this is that the first of these messages from any
> > host is useful information - however they are sent every 10 seconds
> > and I'm trying to suppress all but the first message for each
> > neighbour. I've tried several different ways of doing this including
> > rate-limiting on the <action> but none of them have worked the way I
> > expected.
>
> Hmm... you understand it right, and it should work exactly as you wrote,
> however as implemented filter expressions don't support correllation
> contexts.
>
> I've pushed a branch to github to fix this issue to the
> msg-contexts-in-filters branch.
>
> I still need some thinking time, but you could give it a try.
>
> Feedback is appreciated. And thanks for finding this problem.
>
Any feedback on this?
Thanks.
--
Bazsi
More information about the syslog-ng
mailing list