[syslog-ng] syslog-ng vs pcre2 without jit vs disable-jit config feature

"Tóth Attila" atoth at atoth.sote.hu
Thu Nov 23 11:31:04 UTC 2023 

Hi,

These are the affected lines in my config:
filter f_avc { message(".*avc: .*"); };
filter f_audit { message("^(\\[.*\..*\] |)audit.*") and not
message(".*avc: .*"); };
filter f_pax { message("^(\\[.*\..*\] |)PAX:.*"); };
filter f_grsec { message("^(\\[.*\..*\] |)grsec:.*"); };

These are there for a long time now, but obviously needs a treatment to
make them up-to-date.
There are multiple messages during startup:
"multi-line-pattern: Error while JIT compiling regular expression"
and more.

If I try to add disable-jit, the messages persist. So it seems syslog-ng
still try to use jit. Despite the messages the software is still
functional as intended. I just want to instruct it not to try
jit-optimizing the expressions, hence get rid of the messages.

Thanks:
Dw.
-- 
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2023.November 22.(Sze) 12:32 időpontban Balazs Scheidler ezt írta:
> Hi,
>
> I've now tried the disable-jit example from the documentation and it does
> seem to work for me. I've set a breakpoint where it would do the jit
> compilation, and it didn't do it.
>
> btw, I was using Axoflow produced documentation, which is somewhat more
> usable to me:
> https://axoflow.com/docs/axosyslog-core/chapter-manipulating-messages/regular-expressions/reference-regexp-types/regexp-flags-options/regexp-flags-options-pcre/
>
> This is the config I have checked:
>
> ```
> @version: 3.32
>
> log {
> source { tcp(port(2000)); };
>
> filter { match("(?<DN>foo)|(?<DN>bar)" value(MSG) flags(store-matches,
> disable-jit, dupnames)); };
> destination { file("/tmp/log" template("$(format-json *)\n")); };
> };
> ```
>
> I am using the latest master, but 4.4.0 should be the same. How do you
> know
> that jit is enabled?
>
>
> On Tue, Nov 21, 2023 at 10:59 AM "Tóth Attila" <atoth at atoth.sote.hu>
> wrote:
>
>> I'm using syslog-ng-4.4.0 on a Gentoo system, that also employs PaX
>> hardening. Due to the necessity to elevate restrictions on pcre2 with
>> jit
>> enabled, I keep it disabled for this particular installation. Syslog-ng
>> emits error messages during startup complaining about pcre2 and jit. I
>> had
>> studied the manual and found the disable-jit feature.
>>
>> https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.30/administration-guide/72
>> Maybe I'm using a wrong syntax, but syslog-ng doesn't seem to respect
>> the
>> option. Commenting out the jit feature in the source code works, but it
>> would be much more comfortable to find the proper way to disable jit.
>>
>> Are there any other who managed to use disable-jit in action?
>>
>> Are there any tips or tricks aboutv what to pay attention on?
>>
>> Thx:
>> Dw.
>> --
>> dr Tóth Attila, Radiológus, 06-20-825-8057
>> Attila Toth MD, Radiologist, +36-20-825-8057
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>
> --
> Bazsi
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>

More information about the syslog-ng mailing list