[syslog-ng] How to send tracebacks through syslog-ng? (Jakub Jankowski)

Wed Sep 28 09:26:03 CEST 2011

On Mon, 2011-09-26 at 18:07 +0800, Luis Pugoy wrote:
> 
> 
> On Sun, Sep 25, 2011 at 1:57 AM, Luis Pugoy <lpugoy at insynchq.com>
> wrote:
>                 Message: 4
>                 Date: Sat, 24 Sep 2011 09:31:34 +0200 (CEST)
>                 From: Jakub Jankowski <shasta at toxcorp.com>
>                 Subject: Re: [syslog-ng] How to send tracebacks
>                 through syslog-ng?
>                 To: Syslog-ng users' and developers' mailing list
>                        <syslog-ng at lists.balabit.hu>
>                 Message-ID:
>                 <alpine.LNX.2.00.1109240928240.15891 at bluzg.slackware.pl>
>                 Content-Type: TEXT/PLAIN; charset=US-ASCII;
>                 format=flowed
>                 
>                 On 2011-09-24, Luis Pugoy wrote:
>                 
>                 > rewrite r_rewrite_subst {  subst("a*", "?",
>                 value("MESSAGE") type("pcre")
>                 > flags("utf8" "global"));  };
>                 >
>                 > I thought that it would replace 0 or more
>                 occurrences of 'a' with a question
>                 > mark. However, when the input is 'a', the output
>                 becomes 'a?'. It just
>                 > appends a question mark at the end. 'aa' also
>                 becomes 'aa?'. What is weirder
>                 > still is that even if the input does not contain
>                 'a', the question mark is
>                 > still appended. So '1' becomes '1?'.
>                 
>                 Well, does "1" match /a*/ ? :)
>                 It doesn't make any difference if that's /a*/, /b*/
>                 or /.*/ - this kind of
>                 regexp matches everything, even an empty string.
>                 
>                 HTH
>                 
>                 --
>                 Jakub Jankowski|shasta at toxcorp.com|http://toxcorp.com/
>                 GPG: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D
>         
>         
>         Hello Jakub.
>         
>         
>         Thanks for the reply. You're right in that "1" matches /a*/,
>         but wouldn't the resulting replacement be "?" instead of
>         "1?" ? Also, if I just use /a/ and use "a" as input, it does
>         not seem to match. The text is still outputted as "a".
> 
> 
> I don't know the policy regarding bumping threads here, but I'd like
> to bump this. Can anyone confirm the results I'm getting? Is there
> also something wrong with my understanding of pcre? I'm sorry if this
> is not allowed.

You need to use a different pattern, either use the plus operator
instead of asterisk, or use the range operator to specify how much 'a'-s
you want to match.

replacing a* with a regexp basically matches all zero-length substrings
of the input, which is really an exception. syslog-ng handles this by
doing the replacements between _all_ input characters to avoid an
infinite loop.

If you want to replace something, please make sure that the regexp
doesn't match the empty string.

See pcrere manual page for more information.

-- 
Bazsi