[syslog-ng] syslog-ng vs pcre2 without jit vs disable-jit config feature

Balazs Scheidler bazsi77 at gmail.com
Sun Nov 26 11:21:48 UTC 2023 

Hi,

Ok, now I get it. Those messages do not relate to these filters, that's a
new functionality. I'll look into it.

Bazsi


On Thu, Nov 23, 2023, 12:31 "Tóth Attila" <atoth at atoth.sote.hu> wrote:

> Hi,
>
> These are the affected lines in my config:
> filter f_avc { message(".*avc: .*"); };
> filter f_audit { message("^(\\[.*\..*\] |)audit.*") and not
> message(".*avc: .*"); };
> filter f_pax { message("^(\\[.*\..*\] |)PAX:.*"); };
> filter f_grsec { message("^(\\[.*\..*\] |)grsec:.*"); };
>
> These are there for a long time now, but obviously needs a treatment to
> make them up-to-date.
> There are multiple messages during startup:
> "multi-line-pattern: Error while JIT compiling regular expression"
> and more.
>
> If I try to add disable-jit, the messages persist. So it seems syslog-ng
> still try to use jit. Despite the messages the software is still
> functional as intended. I just want to instruct it not to try
> jit-optimizing the expressions, hence get rid of the messages.
>
> Thanks:
> Dw.
> --
> dr Tóth Attila, Radiológus, 06-20-825-8057
> Attila Toth MD, Radiologist, +36-20-825-8057
>
> 2023.November 22.(Sze) 12:32 időpontban Balazs Scheidler ezt írta:
> > Hi,
> >
> > I've now tried the disable-jit example from the documentation and it does
> > seem to work for me. I've set a breakpoint where it would do the jit
> > compilation, and it didn't do it.
> >
> > btw, I was using Axoflow produced documentation, which is somewhat more
> > usable to me:
> >
> https://axoflow.com/docs/axosyslog-core/chapter-manipulating-messages/regular-expressions/reference-regexp-types/regexp-flags-options/regexp-flags-options-pcre/
> >
> > This is the config I have checked:
> >
> > ```
> > @version: 3.32
> >
> > log {
> > source { tcp(port(2000)); };
> >
> > filter { match("(?<DN>foo)|(?<DN>bar)" value(MSG) flags(store-matches,
> > disable-jit, dupnames)); };
> > destination { file("/tmp/log" template("$(format-json *)\n")); };
> > };
> > ```
> >
> > I am using the latest master, but 4.4.0 should be the same. How do you
> > know
> > that jit is enabled?
> >
> >
> > On Tue, Nov 21, 2023 at 10:59 AM "Tóth Attila" <atoth at atoth.sote.hu>
> > wrote:
> >
> >> I'm using syslog-ng-4.4.0 on a Gentoo system, that also employs PaX
> >> hardening. Due to the necessity to elevate restrictions on pcre2 with
> >> jit
> >> enabled, I keep it disabled for this particular installation. Syslog-ng
> >> emits error messages during startup complaining about pcre2 and jit. I
> >> had
> >> studied the manual and found the disable-jit feature.
> >>
> >>
> https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.30/administration-guide/72
> >> Maybe I'm using a wrong syntax, but syslog-ng doesn't seem to respect
> >> the
> >> option. Commenting out the jit feature in the source code works, but it
> >> would be much more comfortable to find the proper way to disable jit.
> >>
> >> Are there any other who managed to use disable-jit in action?
> >>
> >> Are there any tips or tricks aboutv what to pay attention on?
> >>
> >> Thx:
> >> Dw.
> >> --
> >> dr Tóth Attila, Radiológus, 06-20-825-8057
> >> Attila Toth MD, Radiologist, +36-20-825-8057
> >>
> >>
> >>
> ______________________________________________________________________________
> >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >> Documentation:
> >> http://www.balabit.com/support/documentation/?product=syslog-ng
> >> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> >>
> >>
> >
> > --
> > Bazsi
> >
> ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> >
> >
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20231126/4eb1d36b/attachment.htm>

More information about the syslog-ng mailing list