[syslog-ng] Syslog-ng 3.4.x rewrite rules and log_msg_is_write_protected

Balazs Scheidler bazsi77 at gmail.com
Tue Feb 5 07:10:43 CET 2013


hi,

write protection is an internal property of log messages, and certainly the assertion should not fail.

as you probably know, whenever a message is delivered in multiple paths (several log statements for instance), changes on one of the paths shouldn't be visible on the other.

however, syslog-ng also tries to minimize performance impacts of these branches, and only copy the message at the branching point if necessary. if such copying doesn't happen, the message becomes write protected. this ensures that programming errors are not causing the message model to be altered.

as it seems that processing the rewrite condition() doesn't properly handle this, thus the error.

this is only speculation now, I only read stuff you posted, my phone (where I'm posting from) is not good enough for hacking syslog-ng :)


----- Original message -----
> 
> 
> I have a very simple rewrite rule, which just figures out the short
> hostname and populates a macro SHORTHOST with the short host name.
> 
> # --- to produce a short host macro SHOST
> filter f_short_host_at {
>                   match('^[^@]+@([^.]+)\.' value("HOST") type(pcre)
> flags("store-matches" "nobackref")); };
> filter f_short_host {
>                   match('^([^.@]+)\.' value("HOST") type(pcre)
> flags("store-matches" "nobackref")); };
> 
> rewrite r_short_host {
>                   set("$1", value("SHORTHOST") condition(filter(f_short_host_at)
> or filter(f_short_host) ) ); };
> 
> 
> I have two different config files (they are complicated, but the rewrite
> portion is not).
> 
> log {
>                   source(unix_network_tcp);
>                   source(unix_network_udp);
>                   rewrite(r_short_host);
>                   log {
>                                   destination(d_archive);
>                                   flags(flow-control);
>                   };
> };
> 
> 
> In one config everything works as expected (-Fdv output)
> 
> Syslog connection accepted; fd='20',
> client='AF_INET(142.104.141.3:34573)',
> local='AF_INET(142.104.141.3:514)' Incoming log entry;
> line='<134>2013-02-04T15:28:46-08:00
> pangolin.comp.uvic.ca/pangolin.comp.uvic.ca action-handler[24020]:
> starting' Filter node evaluation result; result='not-match' Filter node
> evaluation result; result='not-match', type='filter(f_short_host_at)'
> Filter node evaluation result; result='match' Filter node evaluation
> result; result='match', type='filter(f_short_host)' Filter node
> evaluation result; result='match', type='OR' Rewrite expression
> evaluation result; value='SHORTHOST', new_value='pangolin',
> rule='r_short_host',
> location='/usr/local/etc/syslog-ng/syslog-ng.server.conf:173:2'
> 
> 
> On the other config (same host and all versions of software)
> 
> Syslog connection accepted; fd='19',
> client='AF_INET(142.104.141.3:46021)',
> local='AF_INET(142.104.141.3:514)' Incoming log entry;
> line='<134>2013-02-04T15:28:46-08:00
> pangolin.comp.uvic.ca/pangolin.comp.uvic.ca action-handler[24020]:
> starting' Filter node evaluation result; result='not-match' Filter node
> evaluation result; result='not-match', type='filter(f_short_host_at)' **
> ERROR:logmsg.c:535:log_msg_set_value_indirect: assertion failed:
> (!log_msg_is_write_protected(self))
> 
> and syslog-ng dies.
> 
> Can anyone shed any light on this?
> 
> Under what conditions does the log_msg become write protected?
> 
> Evan.
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng FAQ:
> http://www.balabit.com/wiki/syslog-ng-faq
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130205/7f8547c0/attachment-0001.htm 


More information about the syslog-ng mailing list