[syslog-ng] syslog-ng-3.38.1 causing type hint errors in patterndb - bug?

Balazs Scheidler bazsi77 at gmail.com
Tue Nov 22 09:39:35 UTC 2022 

I only got warnings and not errors, when trying to use this in my XML file:

          <value name="seq-matches">su(pam_unix)</value>

how did you execute syslog-ng so you got the error above? The only case
where this is an error, if you are using "@version: 4.0"

This was the warning produced (both by syslog-ng and pdbtool):

WARNING: the template specified in value()/<value> options for your
grouping-by() or db-parser() configuration has been changed to support
typing from syslog-ng 4.0. You are using an older config version and your
template contains an unrecognized type-cast, probably a parenthesis in the
value field. This will be interpreted in the `type(value)' format in future
versions. Please add an explicit string() cast as shown in the
'fixed-value' tag of this log message or remove the parenthesis. The value
will be processed as a 'string' expression; config-version='3.38',
name='seq-matches', value='su(pam_unix)', fixed-value='string(su(pam_unix))'

I chose to embed the type-hint field in the body of the <value> tag, as
this is the format that is used everywhere else. I might be able to bump
the db-parser XML file version, in the file header:

<patterndb version='5'>

I could bump this up to version 6, in which case you'd only need to add the
type-hint if you also bumped the version number. That I think is doable.

On the documentation front, there's an XML schema in the source tree under
the doc/xsd/ directory for each version of patterndb, and I assume the
documentation also has a chapter on the db-parser() format.

On Mon, Nov 21, 2022 at 5:22 PM Evan Rempel <erempel at uvic.ca> wrote:

> We have a patterndb file that contains both patterns and values with
> fixed text that include a strings of the form "xxxx (yyy)" which now can
> not be loaded by the patterndb.
>
> Syslog-ng throws the error
>
> Error parsing pattern database file; ... Error compiling value template,
> rule=FLARE-3543, name=AUTHPROGRAM, value=su(pam_unix), error=Unknown
> type specified in type hinting: su'
>
> I have not enabled the version 4.0 testing of type hinting. The version
> configuration is
>
> @version: 3.36
>
> I am unable to find documentation for the full syntax of the patterndb
> file (seems to have been lost from the docs since perhaps 3.16?)
>
> Is there a patterndb syntax specification document?
>
> I would expect that even when type hinting is enabled in the patterndb
> file, given that it is an XML document, that the type hinting would be
> part of the XML tag metadata, rather than part of the XML static data.
>
> --
> Evan
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>

-- 
Bazsi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20221122/cce5a405/attachment.htm>

More information about the syslog-ng mailing list