[syslog-ng] [Bug 211] New: dbparser pattern order breaks validation
bugzilla at bugzilla.balabit.com
bugzilla at bugzilla.balabit.com
Fri Nov 2 17:14:32 CET 2012
https://bugzilla.balabit.com/show_bug.cgi?id=211
Summary: dbparser pattern order breaks validation
Product: syslog-ng
Version: 3.3.x
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: unspecified
Component: syslog-ng
AssignedTo: bazsi at balabit.hu
ReportedBy: erempel at uvic.ca
Type of the Report: ---
Estimated Hours: 0.0
If two log lines share a common leading portion such as;
xlog: backup pg_xlog/000000010000014700000076
xlog: backup pg_xlog/000000010000014700000076 failed
then the order of the patterns in the pattern database xml file is important. For example, if the two patterns used are;
xlog: backup pg_xlog/@SET:xid:0123456789ABCDEF@
xlog: backup pg_xlog/@SET:xid:0123456789ABCDEF@ failed
and the shorter pattern is first, it will match BOTH of the above lines because it matches the leading portion of
both lines.
If the patterns are entered with the longer pattern first, then the longer pattern will fail on the shorter message, allowing the
match to fall through to the shorter pattern matcher, but will match the longer message.
I expect the behavior of the dbparser to match with the pattern containing the MOST total static content that also matches all of
the parsing macros.
Some method where the order is not important need to be used.
--
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the syslog-ng
mailing list