[syslog-ng] syslog-ng 3.9.1 erroneously matching regex

Evan Rempel erempel at uvic.ca
Mon May 1 15:19:02 UTC 2017 

Using your configuration on syslog-ng version 3.9.1 I did the following

filter f_notifier_filter    { not match("ASA-4-302015|ASA-4-302013|TRAFFIC|permitted|Deny|Denied|denied", value("MESSAGE")); };
filter f_local5       { facility(local5); };

destination d_networkx { file("/var/log/network.$YEAR$MONTH$DAY.000000" owner("root") group("syslogs") perm(0640) template(t_standardfile)); };
destination d_notifier { file("/var/log/notifier.$YEAR$MONTH$DAY.000000" owner("root") group("syslogs") perm(0640) template(t_standardfile)); };

log {
         source(s_local);
         log {
                 filter(f_local5);
                 destination(d_networkx);
                 log {
                         filter(f_notifier_filter);
                         destination(d_notifier);
                 };
         };
};



Then I manually logged the following line

logger -t cisco -p local5.notice "1829: May  1 10:09:45.151 UTC: %BGP-5-ADJCHANGE: neighbor 172.19.254.6 Down Admin. shutdown"

This message matches the f_local5 filter AND the f_notifier_filter and this message ended up in both by network.xxx file and my notifier.xxx file.

[xerr at myhost log]$ cat notifier.20170501.000000
2017-05-01T08:12:35.960-07:00 local at myhost local5.notice cisco: 1829: May  1 10:09:45.151 UTC: %BGP-5-ADJCHANGE: neighbor 172.19.254.6 Down Admin. shutdown
[xerr at myhost log]$ cat network.20170501.000000
2017-05-01T08:12:35.960-07:00 local at myhost local5.notice cisco: 1829: May  1 10:09:45.151 UTC: %BGP-5-ADJCHANGE: neighbor 172.19.254.6 Down Admin. shutdown

Then I logged a message containing on of the "not match" parts from the f_notifier_filter

logger -t cisco -p local5.notice "1829: May  1 10:09:45.151 UTC: %BGP-5-ADJCHANGE: permitted neighbor 172.19.254.6 Down Admin. shutdown"

this message matches the f_local5 filter but does NOT match the f_notifier_filter and only ended up in my filter.xxx file


[xerr at myhost log]$ cat network.20170501.000000
2017-05-01T08:12:35.960-07:00 local at myhost local5.notice cisco: 1829: May  1 10:09:45.151 UTC: %BGP-5-ADJCHANGE: neighbor 172.19.254.6 Down Admin. shutdown
2017-05-01T08:13:00.095-07:00 local at myhost local5.notice cisco: 1829: May  1 10:09:45.151 UTC: %BGP-5-ADJCHANGE: permitted neighbor 172.19.254.6 Down Admin. shutdown
[xerr at myhost log]$ cat notifier.20170501.000000
2017-05-01T08:12:35.960-07:00 local at myhost local5.notice cisco: 1829: May  1 10:09:45.151 UTC: %BGP-5-ADJCHANGE: neighbor 172.19.254.6 Down Admin. shutdown


 From what I can tell everything is working correctly. All local5 messages go to the d_network destination and only message that do NOT contain any of

ASA-4-302015|ASA-4-302013|TRAFFIC|permitted|Deny|Denied|denied

go to the d_notifier destination.

Evan.

On 05/01/2017 04:13 AM, Soumyadip Das Mahapatra wrote:

> Hi folks,
>
> I raised https://github.com/balabit/syslog-ng/issues/1455
>
> Could you guys help me troubleshooting the issue. It looks to be a buggy regex match.
>
> Thanks,
> Soumyadip

More information about the syslog-ng mailing list