[syslog-ng] syslog-ng vs pcre2 without jit vs disable-jit config feature

Balazs Scheidler bazsi77 at gmail.com
Mon Nov 27 18:37:42 UTC 2023 

Hi,

This should solve this issue for you:

https://github.com/syslog-ng/syslog-ng/actions/runs/7009313223/job/19067468747?pr=4732


On Sun, Nov 26, 2023 at 12:21 PM Balazs Scheidler <bazsi77 at gmail.com> wrote:

> Hi,
>
> Ok, now I get it. Those messages do not relate to these filters, that's a
> new functionality. I'll look into it.
>
> Bazsi
>
>
> On Thu, Nov 23, 2023, 12:31 "Tóth Attila" <atoth at atoth.sote.hu> wrote:
>
>> Hi,
>>
>> These are the affected lines in my config:
>> filter f_avc { message(".*avc: .*"); };
>> filter f_audit { message("^(\\[.*\..*\] |)audit.*") and not
>> message(".*avc: .*"); };
>> filter f_pax { message("^(\\[.*\..*\] |)PAX:.*"); };
>> filter f_grsec { message("^(\\[.*\..*\] |)grsec:.*"); };
>>
>> These are there for a long time now, but obviously needs a treatment to
>> make them up-to-date.
>> There are multiple messages during startup:
>> "multi-line-pattern: Error while JIT compiling regular expression"
>> and more.
>>
>> If I try to add disable-jit, the messages persist. So it seems syslog-ng
>> still try to use jit. Despite the messages the software is still
>> functional as intended. I just want to instruct it not to try
>> jit-optimizing the expressions, hence get rid of the messages.
>>
>> Thanks:
>> Dw.
>> --
>> dr Tóth Attila, Radiológus, 06-20-825-8057
>> Attila Toth MD, Radiologist, +36-20-825-8057
>>
>> 2023.November 22.(Sze) 12:32 időpontban Balazs Scheidler ezt írta:
>> > Hi,
>> >
>> > I've now tried the disable-jit example from the documentation and it
>> does
>> > seem to work for me. I've set a breakpoint where it would do the jit
>> > compilation, and it didn't do it.
>> >
>> > btw, I was using Axoflow produced documentation, which is somewhat more
>> > usable to me:
>> >
>> https://axoflow.com/docs/axosyslog-core/chapter-manipulating-messages/regular-expressions/reference-regexp-types/regexp-flags-options/regexp-flags-options-pcre/
>> >
>> > This is the config I have checked:
>> >
>> > ```
>> > @version: 3.32
>> >
>> > log {
>> > source { tcp(port(2000)); };
>> >
>> > filter { match("(?<DN>foo)|(?<DN>bar)" value(MSG) flags(store-matches,
>> > disable-jit, dupnames)); };
>> > destination { file("/tmp/log" template("$(format-json *)\n")); };
>> > };
>> > ```
>> >
>> > I am using the latest master, but 4.4.0 should be the same. How do you
>> > know
>> > that jit is enabled?
>> >
>> >
>> > On Tue, Nov 21, 2023 at 10:59 AM "Tóth Attila" <atoth at atoth.sote.hu>
>> > wrote:
>> >
>> >> I'm using syslog-ng-4.4.0 on a Gentoo system, that also employs PaX
>> >> hardening. Due to the necessity to elevate restrictions on pcre2 with
>> >> jit
>> >> enabled, I keep it disabled for this particular installation. Syslog-ng
>> >> emits error messages during startup complaining about pcre2 and jit. I
>> >> had
>> >> studied the manual and found the disable-jit feature.
>> >>
>> >>
>> https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.30/administration-guide/72
>> >> Maybe I'm using a wrong syntax, but syslog-ng doesn't seem to respect
>> >> the
>> >> option. Commenting out the jit feature in the source code works, but it
>> >> would be much more comfortable to find the proper way to disable jit.
>> >>
>> >> Are there any other who managed to use disable-jit in action?
>> >>
>> >> Are there any tips or tricks aboutv what to pay attention on?
>> >>
>> >> Thx:
>> >> Dw.
>> >> --
>> >> dr Tóth Attila, Radiológus, 06-20-825-8057
>> >> Attila Toth MD, Radiologist, +36-20-825-8057
>> >>
>> >>
>> >>
>> ______________________________________________________________________________
>> >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> >> Documentation:
>> >> http://www.balabit.com/support/documentation/?product=syslog-ng
>> >> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>> >>
>> >>
>> >
>> > --
>> > Bazsi
>> >
>> ______________________________________________________________________________
>> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> > Documentation:
>> > http://www.balabit.com/support/documentation/?product=syslog-ng
>> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>> >
>> >
>>
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>

-- 
Bazsi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20231127/f1f29516/attachment.htm>

More information about the syslog-ng mailing list