[syslog-ng] [Bug 228] match regex not working

bugzilla at bugzilla.balabit.com bugzilla at bugzilla.balabit.com
Wed Mar 13 11:46:02 CET 2013 

https://bugzilla.balabit.com/show_bug.cgi?id=228


Balazs Scheidler <bazsi at balabit.hu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|                            |INVALID
             Status|NEW                         |RESOLVED




--- Comment #1 from Balazs Scheidler <bazsi at balabit.hu>  2013-03-13 11:45:59 ---
Hi, 

Please note that the use of English is preferred in this bugzilla, I'll try to translate both your question and my response.

(In reply to comment #0)
> Sziasztok!
> 
> Ubuntu 8.04 lts-rol megfelelo lepesekben frissitve lett rendszer 12.04 lts-re, abban talalhato syslog-ng 3.3.4 -ben nem mukodik jol a match regex szures.
> Konkretan ugy viselkedik hogy sima stringre szures csak akkor ervenyesul ha bejovo logban string elott van space.
> Filter:
> filter f_EQAM_BW_OVERSUB { netmask("172.18.96.0/255.255.224.0") and match("Bandwidth Oversubscribed" value("MESSAGE")); };
> 
> ha netcat-el kuldok bele teszt uzenetet, csak akkor ervenyeul a filter ha van szokoz a keresett szoveg es az elotte talalhato tartalom kozott, pl :
> "test Bandwidth Oversubscribed" mukodik
> "testBandwidth Oversubscribed" nem mukodik

The question (summary):
that syslog-ng 3.3.4 in ubuntu 12.04 seems to interpret the match() filter incorrectly, it matches 
if there's a space in front of the pattern, and doesn't work otherwise.

My answer:
in syslog-ng 3.0, the content matched by match() has changed, if you also add the "@version" tag into your configuration file. In versions prior to 3.0,
match() matched against the whole "$PROGRAM[$PID]: $MESSAGE" value, while with the match() specification above, it only matches against the $MESSAGE part. You
can
continue to use "@version: 2.0", but that's not recommended. There should have been a warning about the change, when you first started syslog-ng with 
the original configuration file.

Since the first word is interpreted as the PROGRAM value for syslog formatted data (unless no-parse is specified), your 'test' string is 
stuffed into $PROGRAM, but only if there's a space. If there's no space, your $PROGRAM will become "testBandwidth" and $MESSAGE becomes 
"Oversubscribed".

If you are not really processing syslog data, you should probably specify flags(no-parse) on the input, which causes syslog-ng to put everything into 
$MESSAGE and your filter expression will work.

All in all, this doesn't seem to be a bug to me, but please reopen if you disagree.


-- 
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the syslog-ng mailing list