[syslog-ng] [Bug 254] New: 3.4. 1 patterndb replacing HOST corrupts $HOST and $FULLHOST macros

bugzilla at bugzilla.balabit.com bugzilla at bugzilla.balabit.com
Tue Oct 8 21:19:39 CEST 2013 

https://bugzilla.balabit.com/show_bug.cgi?id=254

           Summary: 3.4.1 patterndb replacing HOST corrupts $HOST and
                    $FULLHOST macros
           Product: syslog-ng
           Version: 3.4.x
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: blocker
          Priority: unspecified
         Component: syslog-ng
        AssignedTo: bazsi at balabit.hu
        ReportedBy: erempel at uvic.ca
Type of the Report: ---
   Estimated Hours: 0.0


I am using a patterndb of

<pattern>got messages from @STRING:HOST:-.@</pattern>

to match the syslog line

2013-10-08T11:01:26-07:00 wolverine.comp.uvic.ca/wolverine.comp.uvic.ca/syslog2.uvic.ca local0.info heartbeat[18869]: got messages from camelotia.comp.uvic.ca

so that the syslog line will appears as if it came from camelotia.comp.uvic.ca

When this line gets logged to the files, it looks like

2013-10-08T11:01:26-07:00 camelotia.comp.uvic.ca^@heP^@^@^@ local0.info flare-heartbeat[18869]: got messages from camelotia.comp.uvic.ca

wher the ^@ are ASCII 0 (control-@) characters.

In other words, the HOST macro becomes corrupt.

The line should look (preferably) like

2013-10-08T11:01:26-07:00 camelotia.comp.uvic.ca/wolverine.comp.uvic.ca/syslog2.uvic.ca local0.info flare-heartbeat[18869]: got messages from
camelotia.comp.uvic.ca

or (less preferably)

2013-10-08T11:01:26-07:00 camelotia.comp.uvic.ca local0.info flare-heartbeat[18869]: got messages from camelotia.comp.uvic.ca


It isn''t consistent how many ^@ symbols are present.

2013-10-08T11:00:26-07:00 nestor0286.westgrid.uvic.ca^@^@ local0.info flare-heartbeat[18869]: got messages from nestor0286.westgrid.uvic.ca
2013-10-08T11:00:26-07:00 nestor0127.westgrid.uvic.ca^@^@^@^@^@^@ local0.info flare-heartbeat[18869]: got messages from nestor0127.westgrid.uvic.ca
2013-10-08T11:00:26-07:00 hermes0042.westgrid.uvic.ca^@^@ local0.info flare-heartbeat[18869]: got messages from hermes0042.westgrid.uvic.ca
2013-10-08T11:00:26-07:00 hermes0032.westgrid.uvic.ca^@^@ local0.info flare-heartbeat[18869]: got messages from hermes0032.westgrid.uvic.ca
2013-10-08T11:00:26-07:00 nestor0016.westgrid.uvic.ca^@fang local0.info flare-heartbeat[18869]: got messages from nestor0016.westgrid.uvic.ca
2013-10-08T11:00:26-07:00 nestor0027.westgrid.uvic.ca^@^@ local0.info flare-heartbeat[18869]: got messages from nestor0027.westgrid.uvic.ca


-- 
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the syslog-ng mailing list