Ubuntu
syslog-ng package

syslog-ng doesn't properly evaluate nested filters

Bug #1603301 reported by Shintaro Kojima
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
syslog-ng (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Having a problem with syslog-ng 3.5.6-2.1 on Ubuntu 16.04 LTS.

It doesn't properly evaluate syslog message with nested filter configuration below.

# /etc/syslog-ng/syslog-ng.conf
destination d_filtered { file("/var/log/filtered.log"); };

filter f_1 { host("ubuntu"); };
filter f_2 { filter(f_1); };
filter f_3 { filter(f_2); };

log { source(s_src); filter(f_3); destination(d_filtered); };

$ sudo systemctl restart syslog-ng
$ logger foo
# it does NOT report the log into /var/log/filtered.log

3 nested filters works wrong, but 2 nested filters does.

# /etc/syslog-ng/syslog-ng.conf
destination d_filtered { file("/var/log/filtered.log"); };

filter f_1 { host("ubuntu"); };
filter f_2 { filter(f_1); };

log { source(s_src); filter(f_2); destination(d_filtered); };

$ sudo systemctl restart syslog-ng
$ logger foo
# it reports "Jul 15 03:26:51 ubuntu-xenial ubuntu: foo" into /var/log/filtered.log

This problem was fixed on a newer version of syslog-ng,

# install dependencies
$ sudo apt-get install -y build-essential pkg-config libtool automake libglib2.0-dev

$ git clone https://github.com/balabit/eventlog.git
$ cd eventlog/
$ ./autogen.sh
$ ./configure
$ make
$ sudo make install
$ sudo ldconfig

# install a newer syslog-ng
$ wget https://github.com/balabit/syslog-ng/releases/download/syslog-ng-3.6.2/syslog-ng-3.6.2.tar.gz
$ tar zxvf syslog-ng-3.6.2.tar.gz
$ cd syslog-ng-3.6.2/
$ ./configure
$ make
$ sudo make install
$ sudo ldconfig

# append similar configuration into scl/syslog-ng.conf
destination d_filtered { file("/var/log/filtered.log"); };

filter f_1 { host("ubuntu"); };
filter f_2 { filter(f_1); };
filter f_3 { filter(f_2); };

log { source(s_local); filter(f_3); destination(d_filtered); };

$ sudo syslog-ng -F -f ./scl/syslog-ng.conf
$ logger foo
# it reports "Jul 15 03:47:52 ubuntu-xenial ubuntu[8034]: foo" into /var/log/filtered.log

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: syslog-ng 3.5.6-2.1
ProcVersionSignature: User Name 4.4.0-28.47-generic 4.4.13
Uname: Linux 4.4.0-28-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
Date: Fri Jul 15 04:15:33 2016
PackageArchitecture: all
ProcEnviron:
 TERM=screen-256color
 SHELL=/bin/bash
 PATH=(custom, user)
 LANG=en_US.UTF-8
 XDG_RUNTIME_DIR=<set>
SourcePackage: syslog-ng
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Shintaro Kojima (codeout) wrote :
Revision history for this message
Peter Czanik (pczanik) wrote :

I'd recommend using a newer version of syslog-ng. You can find binaries at https://syslog-ng.org/3rd-party-binaries/

Revision history for this message
Shintaro Kojima (codeout) wrote :

Thank you! I've confirmed 3.7.x binaries listed on https://syslog-ng.org/3rd-party-binaries/ works as I expected.

So how can I request an official package upgrade? 3.7.3 has been recently marked as "proposed" at https://launchpad.net/ubuntu/+source/syslog-ng, but I don't know what kind of process is going on...

Thanks

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in syslog-ng (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.