<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Hi,<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
I don't know why is this happening, but spurious path is the following:</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<a href="https://github.com/syslog-ng/syslog-ng/blob/52ef5c7072c651807cc2778000b3b8fe2a8cd101/modules/affile/file-opener.c#L74" id="LPlnk967979">https://github.com/syslog-ng/syslog-ng/blob/52ef5c7072c651807cc2778000b3b8fe2a8cd101/modules/affile/file-opener.c#L74</a></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
For each opened file, syslog-ng checks some malicious patterns in the file name for security reason. If an attacker could inject `../../../` like macros, that could lead to write some unwanted system critical files.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
File paths containing `../` or `/..` are called spurious paths in syslog-ng.<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Br,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Antal<br>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Pal, Laszlo <vlad@vlad.hu><br>
<b>Sent:</b> Monday, March 2, 2020 10:42<br>
<b>To:</b> Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu><br>
<b>Subject:</b> [syslog-ng] Spurious path, logfile not created; path=</font>
<div> </div>
</div>
<div>
<div style="background-color:#FFEB9C; width:100%; border-style:solid; border-color:#9C6500; border-width:1pt; padding:2pt; font-size:10pt; line-height:12pt; font-family:'Calibri'; color:Black; text-align:left">
<span style="color:#9C6500; font-weight:bold">CAUTION:</span> This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.</div>
<br>
<div>
<div dir="ltr"><font face="arial, sans-serif" color="#000000">Hi,</font>
<div><font face="arial, sans-serif" color="#000000"><br>
</font></div>
<div><font face="arial, sans-serif" color="#000000">For one of my hosts, I can see lots of these messages</font></div>
<div><font face="arial, sans-serif" color="#000000"><br>
</font></div>
<div><font face="arial, sans-serif" color="#000000"><span style="white-space:pre-wrap"><b>Spurious path, logfile not created; path=</b></span><br>
</font></div>
<div><font face="arial, sans-serif" color="#000000"><br>
</font></div>
<div><font face="arial, sans-serif" color="#000000">What does it mean exactly? I'm creating files with this macro</font></div>
<div><font face="arial, sans-serif" color="#000000"><br>
</font></div>
<div><font face="arial, sans-serif" color="#000000">file("/var/log/netlog/unix/${HOST}/${YEAR}/${MONTH}/${HOST}-${YEAR}${MONTH}${DAY}.log"<br>
</font></div>
<div><font face="arial, sans-serif" color="#000000"><br>
</font></div>
<div><font face="arial, sans-serif" color="#000000">and even for this host, I have all the logs regardless of this message</font></div>
<div><font face="arial, sans-serif" color="#000000"><br>
</font></div>
<div><font face="arial, sans-serif" color="#000000">I also have messages for the same host like this</font></div>
<div><font face="arial, sans-serif" color="#000000"><span style="white-space:pre-wrap">Resource temporarily unavailable (11)</span><br>
</font></div>
<div><span style="white-space:pre-wrap"><font face="arial, sans-serif" color="#000000"><br>
</font></span></div>
<div><font face="arial, sans-serif" color="#000000"><span style="white-space:pre-wrap">Here is some more details may help to find out the reasons behind this</span></font></div>
<div><font face="arial, sans-serif" color="#000000"><span style="white-space:pre-wrap">- issue started 9th February (I have a total of 160K entries like this)</span></font></div>
<div><font face="arial, sans-serif" color="#000000"><span style="white-space:pre-wrap">- the filename/path was incorrect during the whole event
</span></font></div>
<div><font face="arial, sans-serif" color="#000000"><span style="white-space:pre-wrap">2020/02/servername-20200210.log</span><span style="white-space:pre-wrap"><br>
</span></font></div>
<div><span style="white-space:pre-wrap"><font face="arial, sans-serif" color="#000000">- on 29th the server gone south by consuming lots of CPU and disappeared from the network, console was frozen, so we had to reset the vm</font></span></div>
<div><span style="white-space:pre-wrap"><font face="arial, sans-serif" color="#000000"><br>
</font></span></div>
<div><span style="white-space:pre-wrap"><font face="arial, sans-serif" color="#000000">The host running an old syslog-ng PE
</font></span></div>
<div><font face="arial, sans-serif" color="#000000"><span style="white-space:pre-wrap">(</span>syslog-ng-premium-edition 4 LTS (4.0.5a)</font></div>
<font face="arial, sans-serif" color="#000000">Installer-Version: 4.0.5a<br>
Revision: ssh+git://ganesa@git.balabit//var/scm/git/syslog-ng/syslog-ng-pe--mainline--4.0#master#457ec2f494a46d62ecf8cd938f12f02cd0ae9e63)</font>
<div><font face="arial, sans-serif" color="#000000">on RHEL5</font></div>
<div><font face="arial, sans-serif" color="#000000"><br>
</font></div>
<div><font face="arial, sans-serif" color="#000000">Log sources are simple plain text files contains tomcat and other web server logs</font></div>
<div><font face="arial, sans-serif" color="#000000"><br>
</font></div>
<div><font face="arial, sans-serif" color="#000000">I have a twin-host with the exact same config and log sources, but I never seen messages like this from that one</font></div>
<div><font face="arial, sans-serif" color="#000000"><br>
</font></div>
<div><font face="arial, sans-serif" color="#000000">Do you have any idea? To me it looks very mysterious </font></div>
<div><font face="arial, sans-serif" color="#000000"><br>
</font></div>
<div><font face="arial, sans-serif" color="#000000">Thanks</font></div>
<div><font face="arial, sans-serif"><font color="#000000">Laszlo</font><br>
</font></div>
<div><font face="arial, sans-serif"><br>
</font></div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</body>
</html>