[syslog-ng] IPv6 rewrite rule PVCE

strife at riseup.net strife at riseup.net
Thu Feb 14 13:47:29 CET 2013 

> I have tried to reproduce the issue and it does work in 3.4. Going back
> in versions revealed that there's a limit in syslog-ng 3.1 and below in
> string literals to be less than 1024 bytes.
>
> You can change that by increasing the MAX_REGEXP_LEN value in cfg-lex.l
> or upgrading to a newer syslog-ng release.

Thank you for your quick and accurate advice. For the sake of
completeness, here is my current rewrite rule for IPv4 (first) and IPv6
(second):

rewrite r_ip {
 subst('\b(1?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\.(1?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\.(1?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\.(1?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\b',
"\[REDACTED\]", value("MESSAGE"), type("pcre"), flags("global"));
 subst('\b((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25
 [0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?',
"\[REDACTED6\]", value("MESSAGE"), type("pcre"), flags("global"));
};

I downloaded and modified the syslog-ng source in Debian Squeeze (3.1.x),
changed MAX_REGEXP_LEN and created a new package:

apt-get install build-essential fakeroot devscripts
apt-get build-dep syslog-ng
apt-get source syslog-ng
rm syslog-ng_*.deb
cd syslog-ng-*
sed -i -e "s/#define MAX_REGEXP_LEN  1024/#define MAX_REGEXP_LEN  4096/"
src/cfg-lex.c
debuild -rfakeroot -uc -us
cd ..
dpkg -i syslog-ng_*.deb

-- 
strife

More information about the syslog-ng mailing list