[syslog-ng] syslog-ng vs pcre2 without jit vs disable-jit config feature

Balazs Scheidler bazsi77 at gmail.com
Mon Nov 27 18:38:06 UTC 2023 

Sorry, this one's the better reference.

https://github.com/syslog-ng/syslog-ng/pull/4732


On Mon, Nov 27, 2023 at 7:37 PM Balazs Scheidler <bazsi77 at gmail.com> wrote:

> Hi,
>
> This should solve this issue for you:
>
>
> https://github.com/syslog-ng/syslog-ng/actions/runs/7009313223/job/19067468747?pr=4732
>
>
> On Sun, Nov 26, 2023 at 12:21 PM Balazs Scheidler <bazsi77 at gmail.com>
> wrote:
>
>> Hi,
>>
>> Ok, now I get it. Those messages do not relate to these filters, that's a
>> new functionality. I'll look into it.
>>
>> Bazsi
>>
>>
>> On Thu, Nov 23, 2023, 12:31 "Tóth Attila" <atoth at atoth.sote.hu> wrote:
>>
>>> Hi,
>>>
>>> These are the affected lines in my config:
>>> filter f_avc { message(".*avc: .*"); };
>>> filter f_audit { message("^(\\[.*\..*\] |)audit.*") and not
>>> message(".*avc: .*"); };
>>> filter f_pax { message("^(\\[.*\..*\] |)PAX:.*"); };
>>> filter f_grsec { message("^(\\[.*\..*\] |)grsec:.*"); };
>>>
>>> These are there for a long time now, but obviously needs a treatment to
>>> make them up-to-date.
>>> There are multiple messages during startup:
>>> "multi-line-pattern: Error while JIT compiling regular expression"
>>> and more.
>>>
>>> If I try to add disable-jit, the messages persist. So it seems syslog-ng
>>> still try to use jit. Despite the messages the software is still
>>> functional as intended. I just want to instruct it not to try
>>> jit-optimizing the expressions, hence get rid of the messages.
>>>
>>> Thanks:
>>> Dw.
>>> --
>>> dr Tóth Attila, Radiológus, 06-20-825-8057
>>> Attila Toth MD, Radiologist, +36-20-825-8057
>>>
>>> 2023.November 22.(Sze) 12:32 időpontban Balazs Scheidler ezt írta:
>>> > Hi,
>>> >
>>> > I've now tried the disable-jit example from the documentation and it
>>> does
>>> > seem to work for me. I've set a breakpoint where it would do the jit
>>> > compilation, and it didn't do it.
>>> >
>>> > btw, I was using Axoflow produced documentation, which is somewhat more
>>> > usable to me:
>>> >
>>> https://axoflow.com/docs/axosyslog-core/chapter-manipulating-messages/regular-expressions/reference-regexp-types/regexp-flags-options/regexp-flags-options-pcre/
>>> >
>>> > This is the config I have checked:
>>> >
>>> > ```
>>> > @version: 3.32
>>> >
>>> > log {
>>> > source { tcp(port(2000)); };
>>> >
>>> > filter { match("(?<DN>foo)|(?<DN>bar)" value(MSG) flags(store-matches,
>>> > disable-jit, dupnames)); };
>>> > destination { file("/tmp/log" template("$(format-json *)\n")); };
>>> > };
>>> > ```
>>> >
>>> > I am using the latest master, but 4.4.0 should be the same. How do you
>>> > know
>>> > that jit is enabled?
>>> >
>>> >
>>> > On Tue, Nov 21, 2023 at 10:59 AM "Tóth Attila" <atoth at atoth.sote.hu>
>>> > wrote:
>>> >
>>> >> I'm using syslog-ng-4.4.0 on a Gentoo system, that also employs PaX
>>> >> hardening. Due to the necessity to elevate restrictions on pcre2 with
>>> >> jit
>>> >> enabled, I keep it disabled for this particular installation.
>>> Syslog-ng
>>> >> emits error messages during startup complaining about pcre2 and jit. I
>>> >> had
>>> >> studied the manual and found the disable-jit feature.
>>> >>
>>> >>
>>> https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.30/administration-guide/72
>>> >> Maybe I'm using a wrong syntax, but syslog-ng doesn't seem to respect
>>> >> the
>>> >> option. Commenting out the jit feature in the source code works, but
>>> it
>>> >> would be much more comfortable to find the proper way to disable jit.
>>> >>
>>> >> Are there any other who managed to use disable-jit in action?
>>> >>
>>> >> Are there any tips or tricks aboutv what to pay attention on?
>>> >>
>>> >> Thx:
>>> >> Dw.
>>> >> --
>>> >> dr Tóth Attila, Radiológus, 06-20-825-8057
>>> >> Attila Toth MD, Radiologist, +36-20-825-8057
>>> >>
>>> >>
>>> >>
>>> ______________________________________________________________________________
>>> >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> >> Documentation:
>>> >> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> >> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>> >>
>>> >>
>>> >
>>> > --
>>> > Bazsi
>>> >
>>> ______________________________________________________________________________
>>> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> > Documentation:
>>> > http://www.balabit.com/support/documentation/?product=syslog-ng
>>> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>> >
>>> >
>>>
>>>
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>
> --
> Bazsi
>


-- 
Bazsi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20231127/b0c69f32/attachment-0001.htm>

More information about the syslog-ng mailing list