<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 26, 2013 at 3:34 PM, Alexandre Biancalana <span dir="ltr"><<a href="mailto:biancalana@gmail.com" target="_blank">biancalana@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div class="h5"><div class="gmail_extra"><div class="gmail_quote"><div class="gmail_extra"><div class="gmail_quote">
<div><br></div></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
</blockquote></div><br></div></div></div><div class="gmail_extra">Testing on linux it goes a little further but also crashes:<br><br># gdb syslog-ng/.libs/syslog-ng<div class="im"><br>GNU gdb (GDB) Red Hat Enterprise Linux (7.2-60.el6)<br>
Copyright (C) 2010 Free Software Foundation, Inc.<br>
License GPLv3+: GNU GPL version 3 or later <<a href="http://gnu.org/licenses/gpl.html" target="_blank">http://gnu.org/licenses/gpl.html</a>><br>This is free software: you are free to change and redistribute it.<br>
There is NO WARRANTY, to the extent permitted by law. Type "show copying"<br>
and "show warranty" for details.<br>This GDB was configured as "x86_64-redhat-linux-gnu".<br>For bug reporting instructions, please see:<br><<a href="http://www.gnu.org/software/gdb/bugs/" target="_blank">http://www.gnu.org/software/gdb/bugs/</a>>...<br>
</div>
Reading symbols from /tmp/syslog-ng-3.4/syslog-ng/.libs/syslog-ng...done.<div class="im"><br>(gdb) run -d -f /usr/local/etc/syslog-ng.conf<br></div>Starting program: /tmp/syslog-ng-3.4/syslog-ng/.libs/syslog-ng -d -f /usr/local/etc/syslog-ng.conf<div class="im">
<br>
[Thread debugging using libthread_db enabled]<br></div><div class="im">Reading path for candidate modules; path='/usr/local/lib/syslog-ng'<br></div><div class="im">Reading shared object for a candidate module; path='/usr/local/lib/syslog-ng', fname='confgen.so', module='confgen'<br>
</div><div class="im">
Reading shared object for a candidate module; path='/usr/local/lib/syslog-ng', fname='dbparser.so', module='dbparser'<br>Registering candidate plugin; module='dbparser', context='parser', name='db-parser', preference='0'<br>
</div><div class="im">
Reading shared object for a candidate module; path='/usr/local/lib/syslog-ng', fname='afamqp.so', module='afamqp'<br>Registering candidate plugin; module='afamqp', context='destination', name='amqp', preference='0'<br>
</div><div class="im">
Reading shared object for a candidate module; path='/usr/local/lib/syslog-ng', fname='cryptofuncs.so', module='cryptofuncs'<br>Registering candidate plugin; module='cryptofuncs', context='template-func', name='uuid', preference='0'<br>
Registering candidate plugin; module='cryptofuncs', context='template-func', name='hash', preference='0'<br>Registering candidate plugin; module='cryptofuncs', context='template-func', name='sha1', preference='0'<br>
Registering candidate plugin; module='cryptofuncs', context='template-func', name='sha256', preference='0'<br>Registering candidate plugin; module='cryptofuncs', context='template-func', name='sha512', preference='0'<br>
Registering candidate plugin; module='cryptofuncs', context='template-func', name='md4', preference='0'<br>Registering candidate plugin; module='cryptofuncs', context='template-func', name='md5', preference='0'<br>
</div><div class="im">
Reading shared object for a candidate module; path='/usr/local/lib/syslog-ng', fname='basicfuncs.so', module='basicfuncs'<br>Registering candidate plugin; module='basicfuncs', context='template-func', name='grep', preference='0'<br>
Registering candidate plugin; module='basicfuncs', context='template-func', name='if', preference='0'<br>Registering candidate plugin; module='basicfuncs', context='template-func', name='echo', preference='0'<br>
Registering candidate plugin; module='basicfuncs', context='template-func', name='length', preference='0'<br>Registering candidate plugin; module='basicfuncs', context='template-func', name='substr', preference='0'<br>
Registering candidate plugin; module='basicfuncs', context='template-func', name='strip', preference='0'<br>Registering candidate plugin; module='basicfuncs', context='template-func', name='sanitize', preference='0'<br>
Registering candidate plugin; module='basicfuncs', context='template-func', name='+', preference='0'<br>Registering candidate plugin; module='basicfuncs', context='template-func', name='-', preference='0'<br>
Registering candidate plugin; module='basicfuncs', context='template-func', name='*', preference='0'<br>Registering candidate plugin; module='basicfuncs', context='template-func', name='/', preference='0'<br>
Registering candidate plugin; module='basicfuncs', context='template-func', name='%', preference='0'<br>Registering candidate plugin; module='basicfuncs', context='template-func', name='ipv4-to-int', preference='0'<br>
Registering candidate plugin; module='basicfuncs', context='template-func', name='indent-multi-line', preference='0'<br>Registering candidate plugin; module='basicfuncs', context='template-func', name='context-length', preference='0'<br>
Reading shared object for a candidate module; path='/usr/local/lib/syslog-ng', fname='afuser.so', module='afuser'<br>Registering candidate plugin; module='afuser', context='destination', name='usertty', preference='0'<br>
</div><div class="im">
Reading shared object for a candidate module; path='/usr/local/lib/syslog-ng', fname='afsocket-notls.so', module='afsocket-notls'<br>Registering candidate plugin; module='afsocket-notls', context='source', name='unix-stream', preference='0'<br>
Registering candidate plugin; module='afsocket-notls', context='destination', name='unix-stream', preference='0'<br>Registering candidate plugin; module='afsocket-notls', context='source', name='unix-dgram', preference='0'<br>
Registering candidate plugin; module='afsocket-notls', context='destination', name='unix-dgram', preference='0'<br>Registering candidate plugin; module='afsocket-notls', context='source', name='tcp', preference='0'<br>
Registering candidate plugin; module='afsocket-notls', context='destination', name='tcp', preference='0'<br>Registering candidate plugin; module='afsocket-notls', context='source', name='tcp6', preference='0'<br>
Registering candidate plugin; module='afsocket-notls', context='destination', name='tcp6', preference='0'<br>Registering candidate plugin; module='afsocket-notls', context='source', name='udp', preference='0'<br>
Registering candidate plugin; module='afsocket-notls', context='destination', name='udp', preference='0'<br>Registering candidate plugin; module='afsocket-notls', context='source', name='udp6', preference='0'<br>
Registering candidate plugin; module='afsocket-notls', context='destination', name='udp6', preference='0'<br>Registering candidate plugin; module='afsocket-notls', context='source', name='syslog', preference='0'<br>
Registering candidate plugin; module='afsocket-notls', context='destination', name='syslog', preference='0'<br>Registering candidate plugin; module='afsocket-notls', context='source', name='network', preference='0'<br>
Registering candidate plugin; module='afsocket-notls', context='destination', name='network', preference='0'<br></div><div class="im">Reading shared object for a candidate module; path='/usr/local/lib/syslog-ng', fname='afsocket.so', module='afsocket'<br>
Registering candidate plugin; module='afsocket', context='source', name='unix-stream', preference='100'<br>Registering candidate plugin; module='afsocket', context='destination', name='unix-stream', preference='100'<br>
Registering candidate plugin; module='afsocket', context='source', name='unix-dgram', preference='100'<br>Registering candidate plugin; module='afsocket', context='destination', name='unix-dgram', preference='100'<br>
Registering candidate plugin; module='afsocket', context='source', name='tcp', preference='100'<br>Registering candidate plugin; module='afsocket', context='destination', name='tcp', preference='100'<br>
Registering candidate plugin; module='afsocket', context='source', name='tcp6', preference='100'<br>Registering candidate plugin; module='afsocket', context='destination', name='tcp6', preference='100'<br>
Registering candidate plugin; module='afsocket', context='source', name='udp', preference='100'<br>Registering candidate plugin; module='afsocket', context='destination', name='udp', preference='100'<br>
Registering candidate plugin; module='afsocket', context='source', name='udp6', preference='100'<br>Registering candidate plugin; module='afsocket', context='destination', name='udp6', preference='100'<br>
Registering candidate plugin; module='afsocket', context='source', name='syslog', preference='100'<br>Registering candidate plugin; module='afsocket', context='destination', name='syslog', preference='100'<br>
Registering candidate plugin; module='afsocket', context='source', name='network', preference='100'<br>Registering candidate plugin; module='afsocket', context='destination', name='network', preference='100'<br>
</div><div class="im">
Reading shared object for a candidate module; path='/usr/local/lib/syslog-ng', fname='affile.so', module='affile'<br>Registering candidate plugin; module='affile', context='source', name='file', preference='0'<br>
Registering candidate plugin; module='affile', context='source', name='pipe', preference='0'<br>Registering candidate plugin; module='affile', context='destination', name='file', preference='0'<br>
Registering candidate plugin; module='affile', context='destination', name='pipe', preference='0'<br></div><div class="im">Reading shared object for a candidate module; path='/usr/local/lib/syslog-ng', fname='csvparser.so', module='csvparser'<br>
Registering candidate plugin; module='csvparser', context='parser', name='csv-parser', preference='0'<br></div><div class="im">Reading shared object for a candidate module; path='/usr/local/lib/syslog-ng', fname='afprog.so', module='afprog'<br>
Registering candidate plugin; module='afprog', context='source', name='program', preference='0'<br>Registering candidate plugin; module='afprog', context='destination', name='program', preference='0'<br>
</div><div class="im">
Reading shared object for a candidate module; path='/usr/local/lib/syslog-ng', fname='syslog-ng-crypto.so', module='syslog-ng-crypto'<br>Reading shared object for a candidate module; path='/usr/local/lib/syslog-ng', fname='syslogformat.so', module='syslogformat'<br>
Registering candidate plugin; module='syslogformat', context='format', name='syslog', preference='0'<br>Registering candidate plugin; module='syslogformat', context='parser', name='syslog-parser', preference='0'<br>
</div><div class="im">
Reading shared object for a candidate module; path='/usr/local/lib/syslog-ng', fname='afmongodb.so', module='afmongodb'<br>Registering candidate plugin; module='afmongodb', context='destination', name='mongodb', preference='0'<br>
</div>
Reading shared object for a candidate module; path='/usr/local/lib/syslog-ng', fname='system-source.so', module='system-source'<div class="im"><br>Reading shared object for a candidate module; path='/usr/local/lib/syslog-ng', fname='afsocket-tls.so', module='afsocket-tls'<br>
Registering candidate plugin; module='afsocket-tls', context='source', name='unix-stream', preference='100'<br>Registering candidate plugin; module='afsocket-tls', context='destination', name='unix-stream', preference='100'<br>
Registering candidate plugin; module='afsocket-tls', context='source', name='unix-dgram', preference='100'<br>Registering candidate plugin; module='afsocket-tls', context='destination', name='unix-dgram', preference='100'<br>
Registering candidate plugin; module='afsocket-tls', context='source', name='tcp', preference='100'<br>Registering candidate plugin; module='afsocket-tls', context='destination', name='tcp', preference='100'<br>
Registering candidate plugin; module='afsocket-tls', context='source', name='tcp6', preference='100'<br>Registering candidate plugin; module='afsocket-tls', context='destination', name='tcp6', preference='100'<br>
Registering candidate plugin; module='afsocket-tls', context='source', name='udp', preference='100'<br>Registering candidate plugin; module='afsocket-tls', context='destination', name='udp', preference='100'<br>
Registering candidate plugin; module='afsocket-tls', context='source', name='udp6', preference='100'<br>Registering candidate plugin; module='afsocket-tls', context='destination', name='udp6', preference='100'<br>
Registering candidate plugin; module='afsocket-tls', context='source', name='syslog', preference='100'<br>Registering candidate plugin; module='afsocket-tls', context='destination', name='syslog', preference='100'<br>
Registering candidate plugin; module='afsocket-tls', context='source', name='network', preference='100'<br>Registering candidate plugin; module='afsocket-tls', context='destination', name='network', preference='100'<br>
</div><div class="im">
Compiling #unnamed sequence [log] at [/usr/local/etc/syslog-ng.conf:4]<br> Compiling httpd_error_log reference [source] at [/usr/local/etc/syslog-ng.conf:4]<br></div> Compiling httpd_error_log sequence [source] at [/usr/local/etc/syslog-ng.conf:1]<div class="im">
<br>
Compiling #unnamed junction [log] at [/usr/local/etc/syslog-ng.conf:1]<br> Compiling #unnamed single [log] at [/usr/local/etc/syslog-ng.conf:1]<br></div><div class="im"> Compiling pattern_db reference [parser] at [/usr/local/etc/syslog-ng.conf:4]<br>
</div>
Compiling pattern_db sequence [parser] at [/usr/local/etc/syslog-ng.conf:1]<div class="im"><br> Compiling #unnamed single [log] at [/usr/local/etc/syslog-ng.conf:1]<br></div><div class="im"> Compiling d_amqp reference [destination] at [/usr/local/etc/syslog-ng.conf:4]<br>
Compiling d_amqp sequence [destination] at [/usr/local/etc/syslog-ng.conf:2]<br> Compiling #unnamed junction [log] at [/usr/local/etc/syslog-ng.conf:2]<br> Compiling #unnamed single [log] at [/usr/local/etc/syslog-ng.conf:2]<br>
Log pattern database reloaded; file='/home/ale/httpd.xml', version='3', pub_date='2013-09-12'<br></div>[New Thread 0x7ffff7fe3700 (LWP 3098)]<div class="im"><br>Running application hooks; hook='1'<br>
Running application hooks; hook='3'<br>
syslog-ng starting up; version='3.4.3'<br></div><div class="im">Worker thread started; driver='d_amqp#0'<br>Connecting to AMQP succeeded; driver='d_amqp#0'<br></div>Incoming log entry; line='[2013-09-07 21:37:18.103339] [-:error] [pid 29919:tid 139776059467520] [client 10.10.10.10] ModSecurity: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/opt/apps/httpd/conf/owasp-crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "40"] [id "981205"] [msg "Outbound Anomaly Score Exceeded (score 4): The application is not available"] [hostname "<a href="http://www.xxx.com" target="_blank">www.xxx.com</a>"] [uri "/wp/wp-content/themes/musicpro/js/solo-jplayer.min.js"] [unique_id "UiucjcCoALkAAHTfttcAAACM"]<br>
[2013-09-07 21:37:18.131577] [-:error] [pid 29777:tid 139776257115904] [client 10.10.10.10] ModSecurity: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/opt/apps/httpd/conf/owasp-crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "40"] [id "981205"] [msg "Outbound Anomaly Score Exceeded (score 4): The application is not available"] [hostname "<a href="http://www.xxx.com" target="_blank">www.xxx.com</a>"] [uri "/wp/wp-includes/js/comment-reply.js"] [unique_id "UiucjsCoALkAAHRR1KoAAAAA"]'<br>
patterndb rule matches; rule_id='6bcd01cd-1bff-11e3-919d-ca66d2f45ab4'<br>Advancing patterndb current time because of an incoming message; utc='1380220111'<div class="im"><br>Message parsing complete; result='1'<br>
</div>
Incoming log entry; line='[2013-09-07 21:37:18.135037] [-:error] [pid 29777:tid 139776153876224] [client 10.10.10.10] ModSecurity: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/opt/apps/httpd/conf/owasp-crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "40"] [id "981205"] [msg "Outbound Anomaly Score Exceeded (score 4): The application is not available"] [hostname "<a href="http://www.xxx.com" target="_blank">www.xxx.com</a>"] [uri "/wp/wp-content/themes/musicpro/js/tooltipsy.js"] [unique_id "UiucjsCoALkAAHRR1KgAAAAD"]'<br>
patterndb rule matches; rule_id='6bcd01cd-1bff-11e3-919d-ca66d2f45ab4'<br>Advancing patterndb current time because of an incoming message; utc='1380220111'<div class="im"><br>Message parsing complete; result='1'<br>
</div>
Incoming log entry; line='[2013-09-07 21:37:18.136092] [-:error] [pid 29777:tid 139776132896512] [client 10.10.10.10] ModSecurity: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/opt/apps/httpd/conf/owasp-crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "40"] [id "981205"] [msg "Outbound Anomaly Score Exceeded (score 4): The application is not available"] [hostname "<a href="http://www.xxx.com" target="_blank">www.xxx.com</a>"] [uri "/wp/wp-content/themes/musicpro/js/custom.js"] [unique_id "UiucjsCoALkAAHRR1KsAAAAF"]'<br>
patterndb rule matches; rule_id='6bcd01cd-1bff-11e3-919d-ca66d2f45ab4'<br>Advancing patterndb current time because of an incoming message; utc='1380220111'<div class="im"><br>Message parsing complete; result='1'<br>
</div>
Incoming log entry; line='[2013-09-07 21:37:18.138618] [-:error] [pid 29777:tid 139776143386368] [client 10.10.10.10] ModSecurity: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/opt/apps/httpd/conf/owasp-crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "40"] [id "981205"] [msg "Outbound Anomaly Score Exceeded (score 4): The application is not available"] [hostname "<a href="http://www.xxx.com" target="_blank">www.xxx.com</a>"] [uri "/wp/wp-content/themes/musicpro/js/izotope.js"] [unique_id "UiucjsCoALkAAHRR1KkAAAAE"]'<div class="im">
<br>
<br>Program received signal SIGSEGV, Segmentation fault.<br></div>[Switching to Thread 0x7ffff7fe3700 (LWP 3098)]<br>0x00007ffff7b8de6e in msg_set_context () from /usr/local/lib/<a href="http://libsyslog-ng-3.4.3.so" target="_blank">libsyslog-ng-3.4.3.so</a><br>
Missing separate debuginfos, use: debuginfo-install glib2-2.22.5-7.el6.x86_64 glibc-2.12-1.107.el6.x86_64 keyutils-libs-1.4-4.el6.x86_64 krb5-libs-1.10.3-10.el6.x86_64 libcom_err-1.41.12-14.el6.x86_64 libnet-1.1.5-1.el6.x86_64 libselinux-2.0.94-5.3.el6.x86_64 openssl-1.0.0-27.el6.x86_64 pcre-7.8-6.el6.x86_64 syslog-ng-3.4.3-1.x86_64 zlib-1.2.3-29.el6.x86_64<br>
(gdb) bt<br>#0 0x00007ffff7b8de6e in msg_set_context () from /usr/local/lib/<a href="http://libsyslog-ng-3.4.3.so" target="_blank">libsyslog-ng-3.4.3.so</a><br>#1 0x00007ffff3e3e995 in ?? () from /usr/local/lib/syslog-ng/libafamqp.so<br>
#2 0x00007ffff7b8e63b in ?? () from /usr/local/lib/<a href="http://libsyslog-ng-3.4.3.so" target="_blank">libsyslog-ng-3.4.3.so</a><br>#3 0x00007ffff70a3004 in ?? () from /lib64/libglib-2.0.so.0<br>#4 0x00007ffff67f7851 in start_thread () from /lib64/libpthread.so.0<br>
#5 0x00007ffff654590d in clone () from /lib64/libc.so.6<br>(gdb)<br><br><br></div></div>
</blockquote></div><br></div><div class="gmail_extra">Hi List,<br><br><br></div><div class="gmail_extra">Is there anything else that I can do to help to track/solve this ?<br></div></div>