[syslog-ng] syslog-ng-3.38.1 causing type hint errors in patterndb - bug?
Balazs Scheidler
bazsi77 at gmail.com
Tue Nov 22 10:37:23 UTC 2022
I have now implemented a fix for this problem here:
https://github.com/syslog-ng/syslog-ng/pull/4222
But I am a bit uncertain which solution to use to fix this problem. I would
appreciate @Evan Rempel <erempel at uvic.ca> if you could chime in to the
discussion on the PR and let me know which solution you'd prefer.
Thanks
On Tue, Nov 22, 2022 at 10:39 AM Balazs Scheidler <bazsi77 at gmail.com> wrote:
> I only got warnings and not errors, when trying to use this in my XML file:
>
> <value name="seq-matches">su(pam_unix)</value>
>
> how did you execute syslog-ng so you got the error above? The only case
> where this is an error, if you are using "@version: 4.0"
>
> This was the warning produced (both by syslog-ng and pdbtool):
>
> WARNING: the template specified in value()/<value> options for your
> grouping-by() or db-parser() configuration has been changed to support
> typing from syslog-ng 4.0. You are using an older config version and your
> template contains an unrecognized type-cast, probably a parenthesis in the
> value field. This will be interpreted in the `type(value)' format in future
> versions. Please add an explicit string() cast as shown in the
> 'fixed-value' tag of this log message or remove the parenthesis. The value
> will be processed as a 'string' expression; config-version='3.38',
> name='seq-matches', value='su(pam_unix)', fixed-value='string(su(pam_unix))'
>
> I chose to embed the type-hint field in the body of the <value> tag, as
> this is the format that is used everywhere else. I might be able to bump
> the db-parser XML file version, in the file header:
>
> <patterndb version='5'>
>
> I could bump this up to version 6, in which case you'd only need to add
> the type-hint if you also bumped the version number. That I think is doable.
>
> On the documentation front, there's an XML schema in the source tree under
> the doc/xsd/ directory for each version of patterndb, and I assume the
> documentation also has a chapter on the db-parser() format.
>
> On Mon, Nov 21, 2022 at 5:22 PM Evan Rempel <erempel at uvic.ca> wrote:
>
>> We have a patterndb file that contains both patterns and values with
>> fixed text that include a strings of the form "xxxx (yyy)" which now can
>> not be loaded by the patterndb.
>>
>> Syslog-ng throws the error
>>
>> Error parsing pattern database file; ... Error compiling value template,
>> rule=FLARE-3543, name=AUTHPROGRAM, value=su(pam_unix), error=Unknown
>> type specified in type hinting: su'
>>
>> I have not enabled the version 4.0 testing of type hinting. The version
>> configuration is
>>
>> @version: 3.36
>>
>> I am unable to find documentation for the full syntax of the patterndb
>> file (seems to have been lost from the docs since perhaps 3.16?)
>>
>> Is there a patterndb syntax specification document?
>>
>> I would expect that even when type hinting is enabled in the patterndb
>> file, given that it is an XML document, that the type hinting would be
>> part of the XML tag metadata, rather than part of the XML static data.
>>
>> --
>> Evan
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>
> --
> Bazsi
>
--
Bazsi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20221122/28403d2c/attachment-0001.htm>
More information about the syslog-ng
mailing list