On 02.03.20 13:53, Antal Nemes (anemes) wrote:
I don't know why is this happening, but spurious path is the following:
https://github.com/syslog-ng/syslog-ng/blob/52ef5c7072c651807cc2778000b3b8fe... For each opened file, syslog-ng checks some malicious patterns in the file name for security reason. If an attacker could inject `../../../` like macros, that could lead to write some unwanted system critical files.
File paths containing `../` or `/..` are called spurious paths in syslog-ng.
that could explain is. macros in this line:
file("/var/log/netlog/unix/${HOST}/${YEAR}/${MONTH}/${HOST}-${YEAR}${MONTH}${DAY}.log"
are the dates and times gotten from the message itself, so an attacker can send message containing suprious characters instead of real date. if you want to use date/time wen the message was received, use R_* macros (R_YEAR), or if you want to use date the messahe was processed/written, use D_* macros (D_YEAR).
________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Pal, Laszlo <vlad@vlad.hu> Sent: Monday, March 2, 2020 10:42 To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] Spurious path, logfile not created; path=
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
Hi,
For one of my hosts, I can see lots of these messages
Spurious path, logfile not created; path=
What does it mean exactly? I'm creating files with this macro
file("/var/log/netlog/unix/${HOST}/${YEAR}/${MONTH}/${HOST}-${YEAR}${MONTH}${DAY}.log"
and even for this host, I have all the logs regardless of this message
I also have messages for the same host like this Resource temporarily unavailable (11)
Here is some more details may help to find out the reasons behind this - issue started 9th February (I have a total of 160K entries like this) - the filename/path was incorrect during the whole event 2020/02/servername-20200210.log - on 29th the server gone south by consuming lots of CPU and disappeared from the network, console was frozen, so we had to reset the vm
The host running an old syslog-ng PE (syslog-ng-premium-edition 4 LTS (4.0.5a) Installer-Version: 4.0.5a Revision: ssh+git://ganesa@git.balabit//var/scm/git/syslog-ng/syslog-ng-pe--mainline--4.0#master#457ec2f494a46d62ecf8cd938f12f02cd0ae9e63) on RHEL5
Log sources are simple plain text files contains tomcat and other web server logs
I have a twin-host with the exact same config and log sources, but I never seen messages like this from that one
Do you have any idea? To me it looks very mysterious
-- Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it !