Comments (7)
MrAnno
commented on July 20, 2024
1
This has been fixed in syslog-ng v3.8.1 (#1032, 82b473e#diff-d9f8b4f62fd3294230ca43a28a2c0cb1R308).
Since then, only the following actions are supported:
create-contextmessage
<value> as an action is not valid anymore:
Error parsing pattern database file; filename='pdb.xml', error='pdb.xml:12:1: Unexpected <values> tag, expected <message> or <create-context>'
If you want to achieve the same behavior, it can be done with the following cleaner syntax:
<?xml version='1.0' encoding='UTF-8'?>
<patterndb version='4' pub_date='2014-06-16'>
<ruleset name='myname' id='123456789'>
<rules>
<rule id='123' class='myclass' provider='bcn'>
<patterns>
<pattern>@ESTRING:greeting: @@ANYSTRING:who@</pattern>
</patterns>
<values>
<value name="answer">hi</value>
</values>
</rule>
</rules>
</ruleset>
</patterndb>
from syslog-ng.
talien
commented on July 20, 2024
It seems to be an unfortunate coincidence of xml parsing mistakes and celestial object aligments :D. So, when you omit the "message" tag, patterndb does not set the action's content type, so the action is simply not triggered (That's why no new message is created). But because there is a "value" tag there, patterndb try to attach it to the last valid message context, which is the rule's own message context ("message" tag creates new message context during patterndb parsing). If you don't need condition, then you can use something like this without actions (and pretty much this happens in your case):
<?xml version='1.0' encoding='UTF-8'?>
<patterndb version='4' pub_date='2014-06-16'>
<ruleset name='myname' id='123456789'>
<rules>
<rule id='123' class='myclass' provider='bcn'>
<patterns>
<pattern>@ESTRING:greeting: @@ANYSTRING:who@</pattern>
</patterns>
<values>
<value name="answer">hi</value>
</values>
</rule>
</rules>
</ruleset>
</patterndb>If you need condition, then we should implement rewrite rule action. But you can still create new message with trigger, use inherit-properties attribute in "message" tag, set or overwrite properties from "value" tags, and then drop the original message.
from syslog-ng.
faxm0dem
commented on July 20, 2024
yeah, indeed. But I've figured many ppl find it misleading to get message duplication. They expect the original message to be dropped, the "enriched" one to be promoted. I personally think this is a minor issue. Thanks for looking into this!
from syslog-ng.
ihrwein
commented on July 20, 2024
@bazsi should we mark this as a feature or a bug?
from syslog-ng.
ihrwein
commented on July 20, 2024
@bazsi What do you think? I'd expect from an action that it creates a new message so I'd consider this as a bug.
from syslog-ng.
faxm0dem
commented on July 20, 2024
/me votes for a bug
from syslog-ng.
bazsi
commented on July 20, 2024
I agree its a bug. In intended actions to generate a separate message. If
you want to enrich the current message it should just be added to the rule
tag.
On Dec 2, 2015 4:20 PM, "Fabien Wernli" [email protected] wrote:
/me votes for a bug
—
Reply to this email directly or view it on GitHub
#147 (comment).
from syslog-ng.
Related Issues (20)
- Support role in s3 destination
- Sending logs to OpenSearch using panos parser produces JSON error in OpenSearch HOT 2
- default-network-drivers() is not getting fortigate logs hostname ($HOST) correctly HOT 4
- stats(healthcheck-freq()) problems HOT 4
- On a stressed system, some logs are not being written to the log file. HOT 2
- openobserve config is incorrect HOT 2
- Syslog-ng stops writing logs to a file from a custom systemd-journald namespace after a server restart HOT 2
- Support aws:kms encryption in the s3 destination
- [4.7.1] can't compile cloud-auth when using libressl HOT 2
- compile error in otel when ipv6 support is disabled
- clang c++ support HOT 1
- trusted-keys: support a secure hash algorithm HOT 1
- Add macro for certificate fingerprint HOT 1
- Unexpected behavior with multiple conditions including 'not' in the filter HOT 4
- There is no problem starting syslog-ng, but Verify reports an error. HOT 1
- OpenTelemetry/OTLP: add support for certificate pinning, like with `trusted-keys()` HOT 3
- Config failing with kafka and template HOT 3
- syslog-ng 3.24.1 sometimes crash in log_pipe_queue HOT 2
- libcloud-auth is underlinked HOT 1
- Fuzzing discovery HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from syslog-ng.