[syslog-ng] Problems with rewrite set and template functions...
Balazs Scheidler
bazsi77 at gmail.com
Sat Jan 26 07:48:09 CET 2013
Hi,
I recall something related, but I need to check. In that case the clone method wasn't properly initializing all the fields of an object in case it is referenced multiple times.
Which version are you using?
I see you have implemented a number of interesting template functions, I'd like to integrate them to syslog-ng if you are permitted to contribute them.
Also, you might be able to get rid of rewrite rules and simply use the template option for file destinations, that'd get your config much simpler.
And another note, 3.4 offers junctions and channels that again can make it possible to enclose your rewrites into reusable blocks, and by the use of inline objects, would also simplify the configuration a lot.
Cheers,
----- Original message -----
> Hi all,
> I've come across a problem when using the rewrite set function with a
> template function. I've created a custom template function
> 'audit-TPTI-to-Email' and use it in a rewrite: rewrite r_audit_EMail {
> set("$(audit-TPTI-to-EMail ${MSG})", value("MSG"));
> };
>
> Then call it:
> filter f_audit_pgm{program("AUDIT-*" type("glob"));};
> log {
> source(s_local);
> filter(f_audit_pgm);
> log {
> destination(d_logID_02);
> };
> log {
> rewrite(r_audit_EMail);
> rewrite(r_quote_newlines);
> destination(d_logID_13);
> };
> flags(final);
> };
> Everything work fine.
> Then if I add another call to rewrite (i.e. add a second email
> destination): filter f_audit_pgm{program("AUDIT-*" type("glob"));};
> log {
> source(s_local);
> filter(f_audit_pgm);
> log {
> destination(d_logID_02);
> };
> log {
> rewrite(r_audit_EMail);
> rewrite(r_quote_newlines);
> destination(d_logID_13);
> };
> log {
> rewrite(r_audit_EMail);
> rewrite(r_quote_newlines);
> destination(d_logID_14);
> };
> flags(final);
> };
> Syslog-ng crashes with a segfault.
> I've narrowed in down to any template function (just to make sure *I*
> wasn't screwing something up in my custom function): rewrite r_echo {
> set("$(echo $PROGRAM)" value("PROGRAM")); }; destination d_test1{
> file("/var/log/test1.log"); }; destination d_test2{
> file("/var/log/test2.log"); };
>
> log {
> source(s_local);
> log {
> rewrite(r_echo);
> destination(d_test1);
> };
> log {
> rewrite(r_echo);
> destination(d_test2);
> };
> };
>
> The backtrace:
> Backtrace:
> /usr/local/lib/libsyslog-ng-3.3.3.so(plugin_find+0x39)[0x7f3eb76ff019]
> /usr/local/lib/libsyslog-ng-3.3.3.so(log_template_compile+0x84f)[0x7f3eb7703baf]
> /usr/local/lib/libsyslog-ng-3.3.3.so(log_rewrite_set_new+0x99)[0x7f3eb76f3349]
> /usr/local/lib/libsyslog-ng-3.3.3.so[0x7f3eb76f3371]
> /usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init_pipe_line+0x35d)[0x7f3eb76dfecd]
> /usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init_pipe_line+0xd2)[0x7f3eb76dfc42]
> /usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init+0x56)[0x7f3eb76e0226]
> /usr/local/lib/libsyslog-ng-3.3.3.so(cfg_init+0xb0)[0x7f3eb76e1530]
> /usr/local/lib/libsyslog-ng-3.3.3.so(main_loop_init+0x11b)[0x7f3eb76f9abb]
> /usr/local/sbin/syslog-ng(main+0x11f)[0x40168f]
> /lib/libc.so.6(__libc_start_main+0xe6)[0x7f3eb6240126]
> /usr/local/sbin/syslog-ng[0x401379]
>
> I threw in some debug statements:
> LogRewrite *
> log_rewrite_set_new(const gchar *new_value)
> {
> fprintf(stderr, "%s('%s'):\n", __FUNCTION__, new_value);
>
> Plugin *
> plugin_find(GlobalConfig *cfg, gint plugin_type, const gchar
> *plugin_name) {
> fprintf(stderr, "%s(%p, %d, '%s'): '\n", __FUNCTION__, cfg,
> plugin_type, plugin_name);
>
> Which showed that the 'cfg' pointer is null when rewrite is called the
> second time: log_rewrite_set_new('$(echo $PROGRAM)'):
> plugin_find(0x60e210, 13, 'echo'): '
> plugin_find: plugin->name = 'sys-to-EMail'
> plugin_find: plugin->name = 'audit-TPTI-to-EMail'
> plugin_find: plugin->name = 'quar-TPTI-to-EMail'
> plugin_find: plugin->name = 'quar-TPTI-to-CEF'
> plugin_find: plugin->name = 'tab-to-bar'
> plugin_find: plugin->name = 'tab-to-semicolon'
> plugin_find: plugin->name = 'tab-to-comma'
> plugin_find: plugin->name = 'to-upper-case'
> plugin_find: plugin->name = 'to-lower-case'
> plugin_find: plugin->name = 'ipv4-to-int'
> plugin_find: plugin->name = 'log-session-seqnum'
> plugin_find: plugin->name = 'indent-multi-line'
> plugin_find: plugin->name = 'if'
> plugin_find: plugin->name = 'grep'
> plugin_find: plugin->name = 'echo'
> plugin_find(0x60e210, 2, 'file'): '
> [...]
> log_rewrite_set_new('$(echo $PROGRAM)'):
> plugin_find((nil), 13, 'echo'): '
> *** Segmentation fault
>
> Sooo, my questions are:
> Is this expected behavior?
> Has this been patched already?
> Is there another way I can call a custom function to reformat the
> message field on a destination-by-destination basis?
>
> Thanks,
> Chris
>
> ----------------------------------------
> Christopher Johnson
> chris.johnson3 at hp.com<mailto:chris.johnson3 at hp.com>
> HP Software - Security Product Group
> (916) 785-2817
> ----------------------------------------
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130126/6e4f6e8b/attachment.htm
More information about the syslog-ng
mailing list