Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

patterndb fails to merge two rulesets with program overlap #2763

Open
faxm0dem opened this issue Jun 3, 2019 · 3 comments
Open

patterndb fails to merge two rulesets with program overlap #2763

faxm0dem opened this issue Jun 3, 2019 · 3 comments

Comments

@faxm0dem
Copy link
Contributor

faxm0dem commented Jun 3, 2019

syslog-ng

Version of syslog-ng

syslog-ng 3 (3.21.1)
Config version: 3.21
Installer-Version: 3.21.1
Revision:
Compile-Date: May 13 2019 13:36:58
Module-Directory: //usr/lib64/syslog-ng
Module-Path: //usr/lib64/syslog-ng
Include-Path: /usr/share/syslog-ng/include
Available-Modules: kvformat,cef,json-plugin,syslogformat,tfgetent,map-value-pairs,afprog,afamqp,basicfuncs,xml,appmodel,csvparser,afstomp,afsocket,sdjournal,disk-buffer,hook-commands,system-source,linux-kmsg-format,snmptrapd-parser,dbparser,cryptofuncs,confgen,stardate,examples,afuser,pseudofile,date,graphite,http,add-contextual-data,affile,tags-parser
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Systemd: on

Platform

Centos 7 x86_64

Issue

Failure

Error parsing pattern database file; filename='/tmp/m.xml', error='/tmp/m.xml:18:23: Joining rulesets with mismatching program name sets, program=A'

Configuration

@version: 3.21

log {
  source {
    file("/dev/stdin");
  };
  parser {
    db-parser(file("/tmp/m.xml"));
  };
};

(or gist URL)

PatternDB configuration

<?xml version='1.0' encoding='UTF-8'?>
  <patterndb version="4" pub_date="2019-06-03 15:27:28">
     <ruleset id="a00191c823794a7fbb694b85131353f26b509f98" name="A">
        <patterns>
           <pattern>A</pattern>
        </patterns>
        <rules>
           <rule id="40059fe2ad8cc03950807813e239cc5be240ad19">
              <patterns>
                 <pattern>foo</pattern>
              </patterns>
           </rule>
        </rules>
     </ruleset>
     <ruleset id="17fae6edff32a53f9f294ab21240fc2641e7a4db" name="B">
        <patterns>
           <pattern>B</pattern>
           <pattern>A</pattern>
        </patterns>
        <rules>
           <rule id="4fd01a4442a607b78d9d0989b67b713e125e72e6">
              <patterns>
                 <pattern>bar</pattern>
              </patterns>
           </rule>
        </rules>
     </ruleset>
  </patterndb>

Note

Inverting the order of A and B in the second ruleset makes the error message go away, and syslog-ng loads the patterndb.
@faxm0dem
Copy link
Contributor Author

Hi, do you need any more information concerning this issue?

@alltilla
Copy link
Collaborator

I checked the code, and if I understand right, patterndb is not prepared to handle multiple rulesets with multiple program patterns in each, which have collision between different rulesets.
However, I think it should...

I will write a failing unit test for this scenario, so we can start working on refactoring and fixing this.

@nitishsaboo
Copy link

nitishsaboo commented Feb 13, 2020
edited

@alltilla @MrAnno Getting similar issue in syslog-ng-3.25.1 version.The same default.xml file was parsing correctly in version syslog-ng-3.6.2 and syslog-ng-3.7.1

2020-02-13T10:47:29.631090] Error parsing pattern database file; filename='/home/nsaboo/abc/default.xml', error='/home/nsaboo/abc/default.xml:17274:22: Joining rulesets with mismatching program name sets, program=proxysg'.

Why getting this issue in syslog-ng-3.25.1 and not in syslog-ng-3.6.2 and syslog-ng-3.7.1 ?When can we expect the fix for this ? Do we have any workaround for this ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@faxm0dem @nitishsaboo @alltilla