Ok. I've created https://github.com/rsyslog/rsyslog/issues/230 to track the issue.
Thanks! -- James ________________________________________ From: [email protected] <[email protected]> on behalf of Rainer Gerhards <[email protected]> Sent: Wednesday, January 28, 2015 8:01 AM To: rsyslog-users Subject: Re: [rsyslog] re_extract does not support all regex thx! 2015-01-28 14:47 GMT+01:00 Boylan, James <[email protected]>: > Sounds good! > > I'll create an issue and update it with all of the details. I'll add in > the valgrind output as well once I have it. > > Thanks! > > -- James > --- Sent from my mobile phone --- > > ----- Reply message ----- > From: "Rainer Gerhards" <[email protected]> > To: "rsyslog-users" <[email protected]> > Subject: [rsyslog] re_extract does not support all regex > Date: Wed, Jan 28, 2015 7:39 AM > > 2015-01-28 14:35 GMT+01:00 Boylan, James <[email protected]>: > > > Does anyone have any suggestions on this? > > > > I would suspect that I have just hit a limitation of the regex > > implementation in rsyslog except that it crashes with no errors which > > doesn't strike me as standard behavior. > > > Definitely not. That's for sure a bug. I suggest you also open a bug > tracker on github. That makes it easier to me to remember and adress it as > soon as I have time. > > > > If it would help I can get some valgrind output from it. > > > > > Would definitely help! > > Rainer > > > > Let me know. > > > > -- James > > --- Sent from my mobile phone --- > > > > ----- Reply message ----- > > From: "Boylan, James" <[email protected]> > > To: "rsyslog-users" <[email protected]> > > Subject: [rsyslog] re_extract does not support all regex > > Date: Tue, Jan 27, 2015 2:45 PM > > > > I was trying to use the regex '^[ > > ]?.+?(?=\\|)\\|.+?(?=\\|)\\|.+?(?=\\^)\\^(.*)' with re_extract and found > > that it would cause rsyslogd to crash on 8.4.2. However the pattern '^[ > > ]?[A-Za-z0-9._-]+\\|[A-Za-z0-9._-]+\\|[A-Za-z0-9._-]+[\\^](.*)' works > fine. > > > > > > I didn't see anything specific in the debugging output as to why it > > crashed. It just stopped running. I can see the first instance of > applying > > the regex, but after that the -dn output just stops. > > > > > > Debug log snippet: > > > > > > 1050.148857834:currAppLog.main_Q:Reg/w0: SET !cleanmessage = > > 1050.148883306:currAppLog.main_Q:Reg/w0: function 're_extract > > 1050.148923362:imptcp.c : Parser 'rsyslog.rfc3164' returned 0 > > 1050.148936254:7fe0a6495700: Parser 'rsyslog.rfc3164' returned 0 > > 1050.148948996:currAppLog.main_Q:Reg/w0: ' (id:8, params:5) > > 1050.148959121:currAppLog.main_Q:Reg/w0: var 'msg' > > 1050.148991421:currAppLog.main_Q:Reg/w0: string '^[ > > ]?(.+?)(?=\|)\|(.+?)(?=\|)\|(.+?)(?=\^)\^(.*)' > > 1050.149030510:currAppLog.main_Q:Reg/w0: 3 > > 1050.149061644:currAppLog.main_Q:Reg/w0: 1 > > 1050.149090836:currAppLog.main_Q:Reg/w0: string 'Unknown' > > 1050.149130293:currAppLog.main_Q:Reg/w0: END SET > > 1050.149151199:currAppLog.main_Q:Reg/w0: eval expr 0x7fe12ba41500, type > > 'F[70]' > > 1050.149158854:currAppLog.main_Q:Reg/w0: rainerscript: executing function > > id 8 > > 1050.149167329:currAppLog.main_Q:Reg/w0: eval expr 0x7fe12ba3aeb0, type > > 'V[86]' > > 1050.149193316:imptcp.c : msg parser: flags 30, from ' > > server2.example.com', msg '<190>Jan 27 20:37:30 server2.example.com > -[-]: > > wl|28.143|' > > 1050.149203171:imptcp.c : parse using parser list 0x7fe12ba23c60 > > (the default list). > > 1050.149212163:imptcp.c : Parser 'rsyslog.rfc5424' returned -2160 > > 1050.149219838:imptcp.c : Message will now be parsed by the legacy > > syslog parser (one size fits all... ;)). > > 1050.149228720:currAppLog.main_Q:Reg/w0: rainerscript: var 1: ' > > appname|20.409|0-logtype^20150127-143709.812|W|server.example.com > > |app-20.409-0||~|refnumber||class:102|payload' > > 1050.149239397:currAppLog.main_Q:Reg/w0: eval expr 0x7fe12ba3aeb0, return > > datatype 'S' > > 1050.149247727:currAppLog.main_Q:Reg/w0: eval expr 0x7fe12ba3c6f0, type > > 'N[78]' > > 1050.149256037:currAppLog.main_Q:Reg/w0: eval expr 0x7fe12ba3c6f0, return > > datatype 'N' > > 1050.149263919:currAppLog.main_Q:Reg/w0: eval expr 0x7fe12ba3b0a0, type > > 'N[78]' > > 1050.149272074:currAppLog.main_Q:Reg/w0: eval expr 0x7fe12ba3b0a0, return > > datatype 'N' > > 1050.149281129:imptcp.c : Parser 'rsyslog.rfc3164' returned 0 > > 1050.149294324:7fe0a6495700: msg parser: flags 30, from ' > > server.example.com', msg '<190>Jan 27 20:37:30 server.example.com -[-]: > > hs' > > 1050.149306763:7fe0a6495700: parse using parser list 0x7fe12ba23c60 (the > > default list). > > 1050.149312069:7fe0a6495700: Parser 'rsyslog.rfc5424' returned -2160 > > 1050.149316878:7fe0a6495700: Message will now be parsed by the legacy > > syslog parser (one size fits all... ;)). > > 1050.149322165:7fe0a6495700: Parser 'rsyslog.rfc3164' returned 0 > > 1050.149329690:imptcp.c : msg parser: flags 30, from ' > > server2.example.com', msg '<190>Jan 27 20:37:30 server2.example.com > -[-]: > > appname|28.143|' > > > > > > > > -- James > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
