Project

General

Profile

Actions

Bug #2421

closed

Filter log parser misinterprets some rare lines resulting in TCP:lo for the proto/flags

Added by Jim Pingle almost 12 years ago. Updated about 9 years ago.

Status:
Resolved
Priority:
Very Low
Assignee:
-
Category:
Web Interface
Target version:
Start date:
05/09/2012
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

The following raw log entry:

May  9 10:35:46 pfsense pf: 00:01:06.694431 rule 1/0(match): block in on bge1: (tos 0x0, ttl 231, id 59683, offset 0, flags [DF], proto TCP (6), length 86)
May  9 10:35:46 pfsense pf:     x.x.x.x.443 > y.y.y.y.36046: Flags [R.], cksum 0x76a3 (correct), seq 4021180300:4021180346, ack 165425407, win 0, length 46 [RST+ BIG-IP: [0x116b7f6:165] Flow e]

Is misinterpreted by the parser, somehow it's using "lo" (From the word "Flow" in the entry) as the TCP flags. It appears that the part of the regex called "leftovers" should contain everything after the destination IP and port, but in this case it anchors on ": " and due to the greedy nature of regex, it's taking the ": " after BIG-IP and not the one after the destination IP/port.

Making the regex ungreedy (/U) breaks it in various other ways so it's not quite an easy fix.

Actions #1

Updated by Chris Buechler about 9 years ago

  • Status changed from New to Resolved
  • Target version set to 2.2
  • Affected Version set to All

won't happen with the logging in 2.2

Actions

Also available in: Atom PDF