being back to the office, working through my mail backlog (mostly in sequence ;)). It would be a good idea to create a bug tracker. I guess it is definitely related to how the parse tree is built.
Rainer > -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Champ Clark III [Softwink] > Sent: Monday, January 10, 2011 2:37 AM > To: [email protected] > Subject: [rsyslog] Strange liblognorm issue(s)... > > > I was working on some liblognorm rules, and ran into something rather > strange. First, here's a example rule (that works).. This is my > input being examined: > > sshd[24833]: Invalid user champtest from 192.168.1.1 > > --<snip>---- > prefix=sshd[%pid:number%]: > rule=: Invalid user champtest from %src-ip:ipv4% > --<snip>---- > > This works fine... > > Normlize: [...@115 src-ip="98.224.46.168" pid="24500"] > > So I add to it to grab the username, like thus: > > --<snip>---- > prefix=sshd[%pid:number%]: > rule=: Invalid user %user:word% from %src-ip:ipv4% > --<snip>---- > > This produces a segfault. However, this works: > > --<snip>---- > prefix=sshd[%pid:number%]: > rule=: %invalid:word% user %user:word% %from:word% %src-ip:ipv4% > --<snip>---- > > Normlize: [...@115 src-ip="98.224.46.168" from="from" user="champtest" > invalid="Invalid" pid="24766"] > > I changed the rule a little bit (dropped the prefix). This works: > > --<snip>---- > prefix= > rule=:sshd[%pid:number%]: %invalid:word% user %user:word% %from:word% > %src-ip:ipv4% > --<snip>---- > > This works fine: > > Normlize: [...@115 src-ip="98.224.46.168" from="from" user="champtest" > invalid="Invalid" pid="24797"] > > This causes a seg fault: > > --<snip>---- > prefix= > rule=:sshd[%pid:number%]: Invalid user %user:word% %from:word% %src- > ip:ipv4% > --<snip>---- > > Can someone attempt to reproduce? It's really strange! I can > provide straces/gdb dumps if need be. > > -- > Champ Clark III | Softwink, Inc | 800-538-9357 x 101 > http://www.softwink.com > > GPG Key ID: 58A2A58F > Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F > If it wasn't for C, we'd be using BASI, PASAL and OBOL. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
