[syslog-ng] syslog-ng vs pcre2 without jit vs disable-jit config feature

"Tóth Attila" atoth at atoth.sote.hu
Mon Nov 27 20:17:26 UTC 2023 

Dear Balázs,

This will probably handle the issue properly.

Thanks:
Attila
-- 
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2023.November 27.(H) 19:38 időpontban Balazs Scheidler ezt írta:
> Sorry, this one's the better reference.
>
> https://github.com/syslog-ng/syslog-ng/pull/4732
>
>
> On Mon, Nov 27, 2023 at 7:37 PM Balazs Scheidler <bazsi77 at gmail.com>
> wrote:
>
>> Hi,
>>
>> This should solve this issue for you:
>>
>>
>> https://github.com/syslog-ng/syslog-ng/actions/runs/7009313223/job/19067468747?pr=4732
>>
>>
>> On Sun, Nov 26, 2023 at 12:21 PM Balazs Scheidler <bazsi77 at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> Ok, now I get it. Those messages do not relate to these filters, that's
>>> a
>>> new functionality. I'll look into it.
>>>
>>> Bazsi
>>>
>>>
>>> On Thu, Nov 23, 2023, 12:31 "Tóth Attila" <atoth at atoth.sote.hu> wrote:
>>>
>>>> Hi,
>>>>
>>>> These are the affected lines in my config:
>>>> filter f_avc { message(".*avc: .*"); };
>>>> filter f_audit { message("^(\\[.*\..*\] |)audit.*") and not
>>>> message(".*avc: .*"); };
>>>> filter f_pax { message("^(\\[.*\..*\] |)PAX:.*"); };
>>>> filter f_grsec { message("^(\\[.*\..*\] |)grsec:.*"); };
>>>>
>>>> These are there for a long time now, but obviously needs a treatment
>>>> to
>>>> make them up-to-date.
>>>> There are multiple messages during startup:
>>>> "multi-line-pattern: Error while JIT compiling regular expression"
>>>> and more.
>>>>
>>>> If I try to add disable-jit, the messages persist. So it seems
>>>> syslog-ng
>>>> still try to use jit. Despite the messages the software is still
>>>> functional as intended. I just want to instruct it not to try
>>>> jit-optimizing the expressions, hence get rid of the messages.
>>>>
>>>> Thanks:
>>>> Dw.
>>>> --
>>>> dr Tóth Attila, Radiológus, 06-20-825-8057
>>>> Attila Toth MD, Radiologist, +36-20-825-8057
>>>>
>>>> 2023.November 22.(Sze) 12:32 időpontban Balazs Scheidler ezt írta:
>>>> > Hi,
>>>> >
>>>> > I've now tried the disable-jit example from the documentation and it
>>>> does
>>>> > seem to work for me. I've set a breakpoint where it would do the jit
>>>> > compilation, and it didn't do it.
>>>> >
>>>> > btw, I was using Axoflow produced documentation, which is somewhat
>>>> more
>>>> > usable to me:
>>>> >
>>>> https://axoflow.com/docs/axosyslog-core/chapter-manipulating-messages/regular-expressions/reference-regexp-types/regexp-flags-options/regexp-flags-options-pcre/
>>>> >
>>>> > This is the config I have checked:
>>>> >
>>>> > ```
>>>> > @version: 3.32
>>>> >
>>>> > log {
>>>> > source { tcp(port(2000)); };
>>>> >
>>>> > filter { match("(?<DN>foo)|(?<DN>bar)" value(MSG)
>>>> flags(store-matches,
>>>> > disable-jit, dupnames)); };
>>>> > destination { file("/tmp/log" template("$(format-json *)\n")); };
>>>> > };
>>>> > ```
>>>> >
>>>> > I am using the latest master, but 4.4.0 should be the same. How do
>>>> you
>>>> > know
>>>> > that jit is enabled?
>>>> >
>>>> >
>>>> > On Tue, Nov 21, 2023 at 10:59 AM "Tóth Attila" <atoth at atoth.sote.hu>
>>>> > wrote:
>>>> >
>>>> >> I'm using syslog-ng-4.4.0 on a Gentoo system, that also employs PaX
>>>> >> hardening. Due to the necessity to elevate restrictions on pcre2
>>>> with
>>>> >> jit
>>>> >> enabled, I keep it disabled for this particular installation.
>>>> Syslog-ng
>>>> >> emits error messages during startup complaining about pcre2 and
>>>> jit. I
>>>> >> had
>>>> >> studied the manual and found the disable-jit feature.
>>>> >>
>>>> >>
>>>> https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.30/administration-guide/72
>>>> >> Maybe I'm using a wrong syntax, but syslog-ng doesn't seem to
>>>> respect
>>>> >> the
>>>> >> option. Commenting out the jit feature in the source code works,
>>>> but
>>>> it
>>>> >> would be much more comfortable to find the proper way to disable
>>>> jit.
>>>> >>
>>>> >> Are there any other who managed to use disable-jit in action?
>>>> >>
>>>> >> Are there any tips or tricks aboutv what to pay attention on?
>>>> >>
>>>> >> Thx:
>>>> >> Dw.
>>>> >> --
>>>> >> dr Tóth Attila, Radiológus, 06-20-825-8057
>>>> >> Attila Toth MD, Radiologist, +36-20-825-8057
>>>> >>
>>>> >>
>>>> >>
>>>> ______________________________________________________________________________
>>>> >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> >> Documentation:
>>>> >> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> >> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>> >>
>>>> >>
>>>> >
>>>> > --
>>>> > Bazsi
>>>> >
>>>> ______________________________________________________________________________
>>>> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> > Documentation:
>>>> > http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>> >
>>>> >
>>>>
>>>>
>>>>
>>>> ______________________________________________________________________________
>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Documentation:
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>
>>>>
>>
>> --
>> Bazsi
>>
>
>
> --
> Bazsi
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>

More information about the syslog-ng mailing list