Are pcre issues fixed in latest snapshot, or planned for 4.3?
Charles Jones
jonescr at cisco.com
Wed Feb 14 23:39:29 CET 2007
We never got a response to the pcre issues below, so inquiring minds
want to know :)
Thanks,
-Charles
> Henrik,
>
> I understand you are a busy fellow as of late, but could you
> acknowledge the pcre issues that me and others are having? Mine are
> specifically with macro usage, but I have seen a few other posts by
> Hobbit users who are having similar issues in other areas. In all
> cases the regex works fine when tested with the "pcretest" binary, but
> they fail when used with Hobbit.
>
> Since you are busy I don't expect this issue to take priority, but it
> would be nice to know that you are at least aware of it and plan to
> take a look at the problem when time permits.
>
> Thank You
> -Charles Jones
>
>
> Charles Jones wrote:
>> Dominique,
>>
>> Thank you for confirming this. Hopefully Henrik will notice and
>> address this issue.
>>
>> -Charles
>>
>> Dominique Frise wrote:
>>> Charles Jones wrote:
>>>> I am again being bitten by regex problems. I am able to reproduce
>>>> it with the following entries in hobbit-alerts.cfg:
>>>>
>>>> $IGNORE_HOSTS=%prod-web-(1|2|3|4|9|10|11)$
>>>> HOST=$IGNORE_HOSTS service=*
>>>> IGNORE
>>>>
>>>> If I then check the "info" column of a host that is *not* supposed
>>>> to be ignored, such as prod-web-12. It shows that it is indeed
>>>> ignored. This is a serious problem as I have already missed alerts
>>>> for some production hosts because of this problem.
>>>>
>>>> According to pcretest (Henriks recommended method of testing a
>>>> Hobbit regex), there is nothing wrong with the regular expression
>>>> that I am using:
>>>> $ pcretest
>>>> PCRE version 6.6 06-Feb-2006
>>>> re> /prod-web-(1|2|3|4|9|10|11)$/
>>>> data> prod-web-12 (*correctly not matching*)
>>>> No match
>>>> data> prod-web-19 (*correctly not matching*)
>>>> No match
>>>> data> prod-web-10 (*correctly matching*)
>>>> 0: prod-web-10
>>>> 1: 10
>>>>
>>>> From the above tests you can see that prod-web-12 does not match
>>>> the regex when using pcretest, yet Hobbit is matching it for some
>>>> reason. A possible work-around could be to not use a regex at all,
>>>> such as $IGNORE_HOSTS=prod-web-1,prod-web-2,prod-web-3... but that
>>>> is not really a solution if you have hundreds of hosts, and my main
>>>> point is that regular expressions are not working as they are
>>>> documented.
>>>>
>>>> I've also tried other undocumented ways of using the regex, including:
>>>>
>>>> No hosts matched at all
>>>> $IGNORE_HOSTS=%prod-web-(1|2|3|4|9|10|11)$
>>>> HOST="IGNORE_HOSTS"
>>>>
>>>> No hosts matched at all
>>>> $IGNORE_HOSTS="%prod-web-(1|2|3|4|9|10|11)$"
>>>> HOST=$IGNORE_HOSTS
>>>>
>>>> All hosts match (both web-12 and web-11)
>>>> $IGNORE_HOSTS=prod-web-(1|2|3|4|9|10|11)$
>>>> HOST=%$IGNORE_HOSTS
>>>>
>>>> If anyone else can verify or reproduce this, it would be helpful in
>>>> at least convincing Henrik to add it to the list of things to fix
>>>> in the next version. I honestly hope that it's not a problem with
>>>> Hobbit and instead something I am doing wrong - if so please
>>>> enlighten me.
>>>>
>>>> -Charles
>>>>
>>>
>>> I tried your config. and, yes, I have same strange behaviour.
>>> We are running Hobbit 4.2.0 patched on Solaris 9.
>>>
>>> $ pcretest
>>> PCRE version 4.5 01-December-2003
>>>
>>> re> /prod-web-(1|2|3|4|9|10|11)$/
>>> data> prod-web-12
>>> No match
>>> data> prod-web-19
>>> No match
>>> data> prod-web-10
>>> 0: prod-web-10
>>> 1: 10
>>>
>>> The column info and the rule tests below show that both prod-web-10
>>> and prod-web-12 are ignored but not prod-web-8.
>>>
>>> $ ./hobbitd_alert --test "prod-web-10" conn
>>> 00015495 2007-01-12 07:52:45 send_alert prod-web-10:conn state Paging
>>> 00015495 2007-01-12 07:52:45 Matching host:service:page
>>> 'prod-web-10:conn:acadSys' against rule line 200
>>> 00015495 2007-01-12 07:52:45 *** Match with 'HOST=$IGNORE_HOSTS
>>> service=*' ***
>>> 00015495 2007-01-12 07:52:45 Matching host:service:page
>>> 'prod-web-10:conn:acadSys' against rule line 200
>>> 00015495 2007-01-12 07:52:45 *** Match with 'HOST=$IGNORE_HOSTS
>>> service=*' ***
>>> 00015495 2007-01-12 07:52:45 IGNORE rule found
>>>
>>>
>>> $ ./hobbitd_alert --test "prod-web-12" conn
>>> 00016778 2007-01-12 07:58:50 send_alert prod-web-12:conn state Paging
>>> 00016778 2007-01-12 07:58:50 Matching host:service:page
>>> 'prod-web-12:conn:acadSys' against rule line 200
>>> 00016778 2007-01-12 07:58:50 *** Match with 'HOST=$IGNORE_HOSTS
>>> service=*' ***
>>> 00016778 2007-01-12 07:58:50 Matching host:service:page
>>> 'prod-web-12:conn:acadSys' against rule line 200
>>> 00016778 2007-01-12 07:58:50 *** Match with 'HOST=$IGNORE_HOSTS
>>> service=*' ***
>>> 00016778 2007-01-12 07:58:50 IGNORE rule found
>>>
>>>
>>> $ ./hobbitd_alert --test "prod-web-8" conn
>>> 00016921 2007-01-12 07:59:50 send_alert prod-web-8:conn state Paging
>>> 00016921 2007-01-12 07:59:50 Matching host:service:page
>>> 'prod-web-8:conn:acadSys' against rule line 200
>>> 00016921 2007-01-12 07:59:50 Failed 'HOST=$IGNORE_HOSTS service=*'
>>> (hostname not in include list)
>>> ...
>>> ...
>>>
>>>
>>> Dominique
>>> UNIL - University of Lausanne_
>>>
>>> To unsubscribe from the hobbit list, send an e-mail to
>>> hobbit-unsubscribe at hswn.dk
>>
>> To unsubscribe from the hobbit list, send an e-mail to
>> hobbit-unsubscribe at hswn.dk
>
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe at hswn.dk
More information about the Xymon
mailing list