Hi This patch should fix the segmentation fault, I've committed this to 3.4 master, thanks for reporting it. Should apply to 3.3 too, I'm not sure which release you are using. commit 077c669c2dcca7b7323e7a42dcaba94755d3bc23 Author: Balazs Scheidler <bazsi@balabit.hu> Date: Sat Jan 26 13:53:22 2013 +0100 logrewrite: fix rewrite set/subst related segfault If a set/rewrite operation is referenced from multiple locations, and it uses template functions, a segfault has occurred, as the clone operation didn't properly propagate the associated configuration object, which rendered template->cfg to be NULL, which in turn caused template-function lookup code to dereference a NULL pointer. This was fixed by two dependent changes: - always passing the already-compiled LogTemplate to the rewrite operations instead of a string constant. - reusing the compiled template object in clone() Since LogTemplate is reused, and the first one contains a proper reference to the appropriate configuration object, the NULL deref issue was solved too. Reported-By: Johnson, Chris <chris.johnson3@hp.com> Signed-off-by: Balazs Scheidler <bazsi@balabit.hu> On Fri, 2013-01-25 at 23:43 +0000, Johnson, Chris (HP TippingPoint Roseville) wrote:
Hi all,
I've come across a problem when using the rewrite set function with a template function.
I've created a custom template function 'audit-TPTI-to-Email' and use it in a rewrite:
rewrite r_audit_EMail {
set("$(audit-TPTI-to-EMail ${MSG})", value("MSG"));
};
Then call it:
filter f_audit_pgm{program("AUDIT-*" type("glob"));};
log {
source(s_local);
filter(f_audit_pgm);
log {
destination(d_logID_02);
};
log {
rewrite(r_audit_EMail);
rewrite(r_quote_newlines);
destination(d_logID_13);
};
flags(final);
};
Everything work fine.
Then if I add another call to rewrite (i.e. add a second email destination):
filter f_audit_pgm{program("AUDIT-*" type("glob"));};
log {
source(s_local);
filter(f_audit_pgm);
log {
destination(d_logID_02);
};
log {
rewrite(r_audit_EMail);
rewrite(r_quote_newlines);
destination(d_logID_13);
};
log {
rewrite(r_audit_EMail);
rewrite(r_quote_newlines);
destination(d_logID_14);
};
flags(final);
};
Syslog-ng crashes with a segfault.
I've narrowed in down to any template function (just to make sure *I* wasn't screwing something up in my custom function):
rewrite r_echo { set("$(echo $PROGRAM)" value("PROGRAM")); };
destination d_test1{ file("/var/log/test1.log"); };
destination d_test2{ file("/var/log/test2.log"); };
log {
source(s_local);
log {
rewrite(r_echo);
destination(d_test1);
};
log {
rewrite(r_echo);
destination(d_test2);
};
};
The backtrace:
Backtrace:
/usr/local/lib/libsyslog-ng-3.3.3.so(plugin_find+0x39)[0x7f3eb76ff019]
/usr/local/lib/libsyslog-ng-3.3.3.so(log_template_compile +0x84f)[0x7f3eb7703baf]
/usr/local/lib/libsyslog-ng-3.3.3.so(log_rewrite_set_new +0x99)[0x7f3eb76f3349]
/usr/local/lib/libsyslog-ng-3.3.3.so[0x7f3eb76f3371]
/usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init_pipe_line +0x35d)[0x7f3eb76dfecd]
/usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init_pipe_line +0xd2)[0x7f3eb76dfc42]
/usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init +0x56)[0x7f3eb76e0226]
/usr/local/lib/libsyslog-ng-3.3.3.so(cfg_init+0xb0)[0x7f3eb76e1530]
/usr/local/lib/libsyslog-ng-3.3.3.so(main_loop_init +0x11b)[0x7f3eb76f9abb]
/usr/local/sbin/syslog-ng(main+0x11f)[0x40168f]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7f3eb6240126]
/usr/local/sbin/syslog-ng[0x401379]
I threw in some debug statements:
LogRewrite *
log_rewrite_set_new(const gchar *new_value)
{
fprintf(stderr, "%s('%s'):\n", __FUNCTION__, new_value);
Plugin *
plugin_find(GlobalConfig *cfg, gint plugin_type, const gchar *plugin_name)
{
fprintf(stderr, "%s(%p, %d, '%s'): '\n", __FUNCTION__, cfg, plugin_type, plugin_name);
Which showed that the 'cfg' pointer is null when rewrite is called the second time:
log_rewrite_set_new('$(echo $PROGRAM)'):
plugin_find(0x60e210, 13, 'echo'): '
plugin_find: plugin->name = 'sys-to-EMail'
plugin_find: plugin->name = 'audit-TPTI-to-EMail'
plugin_find: plugin->name = 'quar-TPTI-to-EMail'
plugin_find: plugin->name = 'quar-TPTI-to-CEF'
plugin_find: plugin->name = 'tab-to-bar'
plugin_find: plugin->name = 'tab-to-semicolon'
plugin_find: plugin->name = 'tab-to-comma'
plugin_find: plugin->name = 'to-upper-case'
plugin_find: plugin->name = 'to-lower-case'
plugin_find: plugin->name = 'ipv4-to-int'
plugin_find: plugin->name = 'log-session-seqnum'
plugin_find: plugin->name = 'indent-multi-line'
plugin_find: plugin->name = 'if'
plugin_find: plugin->name = 'grep'
plugin_find: plugin->name = 'echo'
plugin_find(0x60e210, 2, 'file'): '
[...]
log_rewrite_set_new('$(echo $PROGRAM)'):
plugin_find((nil), 13, 'echo'): '
*** Segmentation fault
Sooo, my questions are:
Is this expected behavior?
Has this been patched already?
Is there another way I can call a custom function to reformat the message field on a destination-by-destination basis?
Thanks,
Chris
----------------------------------------
Christopher Johnson
chris.johnson3@hp.com
HP Software - Security Product Group
(916) 785-2817
----------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq