Spurious path, logfile not created; path=
Hi, For one of my hosts, I can see lots of these messages *Spurious path, logfile not created; path=* What does it mean exactly? I'm creating files with this macro file("/var/log/netlog/unix/${HOST}/${YEAR}/${MONTH}/${HOST}-${YEAR}${MONTH}${DAY}.log" and even for this host, I have all the logs regardless of this message I also have messages for the same host like this Resource temporarily unavailable (11) Here is some more details may help to find out the reasons behind this - issue started 9th February (I have a total of 160K entries like this) - the filename/path was incorrect during the whole event 2020/02/servername-20200210.log - on 29th the server gone south by consuming lots of CPU and disappeared from the network, console was frozen, so we had to reset the vm The host running an old syslog-ng PE (syslog-ng-premium-edition 4 LTS (4.0.5a) Installer-Version: 4.0.5a Revision: ssh+git://ganesa@git.balabit //var/scm/git/syslog-ng/syslog-ng-pe--mainline--4.0#master#457ec2f494a46d62ecf8cd938f12f02cd0ae9e63) on RHEL5 Log sources are simple plain text files contains tomcat and other web server logs I have a twin-host with the exact same config and log sources, but I never seen messages like this from that one Do you have any idea? To me it looks very mysterious Thanks Laszlo
Hi, I don't know why is this happening, but spurious path is the following: https://github.com/syslog-ng/syslog-ng/blob/52ef5c7072c651807cc2778000b3b8fe... For each opened file, syslog-ng checks some malicious patterns in the file name for security reason. If an attacker could inject `../../../` like macros, that could lead to write some unwanted system critical files. File paths containing `../` or `/..` are called spurious paths in syslog-ng. Br, Antal ________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Pal, Laszlo <vlad@vlad.hu> Sent: Monday, March 2, 2020 10:42 To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] Spurious path, logfile not created; path= CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. Hi, For one of my hosts, I can see lots of these messages Spurious path, logfile not created; path= What does it mean exactly? I'm creating files with this macro file("/var/log/netlog/unix/${HOST}/${YEAR}/${MONTH}/${HOST}-${YEAR}${MONTH}${DAY}.log" and even for this host, I have all the logs regardless of this message I also have messages for the same host like this Resource temporarily unavailable (11) Here is some more details may help to find out the reasons behind this - issue started 9th February (I have a total of 160K entries like this) - the filename/path was incorrect during the whole event 2020/02/servername-20200210.log - on 29th the server gone south by consuming lots of CPU and disappeared from the network, console was frozen, so we had to reset the vm The host running an old syslog-ng PE (syslog-ng-premium-edition 4 LTS (4.0.5a) Installer-Version: 4.0.5a Revision: ssh+git://ganesa@git.balabit//var/scm/git/syslog-ng/syslog-ng-pe--mainline--4.0#master#457ec2f494a46d62ecf8cd938f12f02cd0ae9e63) on RHEL5 Log sources are simple plain text files contains tomcat and other web server logs I have a twin-host with the exact same config and log sources, but I never seen messages like this from that one Do you have any idea? To me it looks very mysterious Thanks Laszlo
On 02.03.20 13:53, Antal Nemes (anemes) wrote:
I don't know why is this happening, but spurious path is the following:
https://github.com/syslog-ng/syslog-ng/blob/52ef5c7072c651807cc2778000b3b8fe... For each opened file, syslog-ng checks some malicious patterns in the file name for security reason. If an attacker could inject `../../../` like macros, that could lead to write some unwanted system critical files.
File paths containing `../` or `/..` are called spurious paths in syslog-ng.
that could explain is. macros in this line:
file("/var/log/netlog/unix/${HOST}/${YEAR}/${MONTH}/${HOST}-${YEAR}${MONTH}${DAY}.log"
are the dates and times gotten from the message itself, so an attacker can send message containing suprious characters instead of real date. if you want to use date/time wen the message was received, use R_* macros (R_YEAR), or if you want to use date the messahe was processed/written, use D_* macros (D_YEAR).
________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Pal, Laszlo <vlad@vlad.hu> Sent: Monday, March 2, 2020 10:42 To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] Spurious path, logfile not created; path=
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
Hi,
For one of my hosts, I can see lots of these messages
Spurious path, logfile not created; path=
What does it mean exactly? I'm creating files with this macro
file("/var/log/netlog/unix/${HOST}/${YEAR}/${MONTH}/${HOST}-${YEAR}${MONTH}${DAY}.log"
and even for this host, I have all the logs regardless of this message
I also have messages for the same host like this Resource temporarily unavailable (11)
Here is some more details may help to find out the reasons behind this - issue started 9th February (I have a total of 160K entries like this) - the filename/path was incorrect during the whole event 2020/02/servername-20200210.log - on 29th the server gone south by consuming lots of CPU and disappeared from the network, console was frozen, so we had to reset the vm
The host running an old syslog-ng PE (syslog-ng-premium-edition 4 LTS (4.0.5a) Installer-Version: 4.0.5a Revision: ssh+git://ganesa@git.balabit//var/scm/git/syslog-ng/syslog-ng-pe--mainline--4.0#master#457ec2f494a46d62ecf8cd938f12f02cd0ae9e63) on RHEL5
Log sources are simple plain text files contains tomcat and other web server logs
I have a twin-host with the exact same config and log sources, but I never seen messages like this from that one
Do you have any idea? To me it looks very mysterious
-- Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it !
YEAR/MONTH/DAY macros never contain spurious elements, as the timestamp is parsed by syslog-ng and these macros work from the parsed representation. They might be invalid (if parsing fails), but are guaranteed to contain only numbers. The $HOST portion on the other hand is controlled by the syslog client and can contain this sequence of characters. It is strange that "path" in the original log message seems to be empty, that should contain the filename that was suspicious to syslog-ng. On Mon, Mar 2, 2020 at 3:39 PM Matus UHLAR - fantomas <uhlar@fantomas.sk> wrote:
On 02.03.20 13:53, Antal Nemes (anemes) wrote:
I don't know why is this happening, but spurious path is the following:
https://github.com/syslog-ng/syslog-ng/blob/52ef5c7072c651807cc2778000b3b8fe...
For each opened file, syslog-ng checks some malicious patterns in the file name for security reason. If an attacker could inject `../../../` like macros, that could lead to write some unwanted system critical files.
File paths containing `../` or `/..` are called spurious paths in syslog-ng.
that could explain is. macros in this line:
file("/var/log/netlog/unix/${HOST}/${YEAR}/${MONTH}/${HOST}-${YEAR}${MONTH}${DAY}.log"
are the dates and times gotten from the message itself, so an attacker can send message containing suprious characters instead of real date.
if you want to use date/time wen the message was received, use R_* macros (R_YEAR), or if you want to use date the messahe was processed/written, use D_* macros (D_YEAR).
________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Pal, Laszlo <vlad@vlad.hu> Sent: Monday, March 2, 2020 10:42 To: Syslog-ng users' and developers' mailing list < syslog-ng@lists.balabit.hu> Subject: [syslog-ng] Spurious path, logfile not created; path=
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
Hi,
For one of my hosts, I can see lots of these messages
Spurious path, logfile not created; path=
What does it mean exactly? I'm creating files with this macro
file("/var/log/netlog/unix/${HOST}/${YEAR}/${MONTH}/${HOST}-${YEAR}${MONTH}${DAY}.log"
and even for this host, I have all the logs regardless of this message
I also have messages for the same host like this Resource temporarily unavailable (11)
Here is some more details may help to find out the reasons behind this - issue started 9th February (I have a total of 160K entries like this) - the filename/path was incorrect during the whole event 2020/02/servername-20200210.log - on 29th the server gone south by consuming lots of CPU and disappeared from the network, console was frozen, so we had to reset the vm
The host running an old syslog-ng PE (syslog-ng-premium-edition 4 LTS (4.0.5a) Installer-Version: 4.0.5a Revision: ssh+git://ganesa@git.balabit //var/scm/git/syslog-ng/syslog-ng-pe--mainline--4.0#master#457ec2f494a46d62ecf8cd938f12f02cd0ae9e63) on RHEL5
Log sources are simple plain text files contains tomcat and other web server logs
I have a twin-host with the exact same config and log sources, but I never seen messages like this from that one
Do you have any idea? To me it looks very mysterious
-- Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it !
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi
Thank you Bazsi, This is really strange... only this client affected and not the other server which also running RHEL5 + PE4. Right now I'm investigating the issue caused several hours outage and I'm suspicious this behavior can be related to CPU spike caused freezing the whole machine. Is this possible? I think I figured out why this happened :) For this specific log source, I'm using a different destination like this "/var/log/netlog/app/${HOST}/${PROGRAM}/${YEAR}/${MONTH}/${HOST}-${YEAR}${MONTH}${DAY}.log I suppose, sometimes $PROGRAM is either empty, or contains strings which can cause this *Spurious path* issues.... can we say, using $PROGRAM in local destination is quite dangerous? :) Thanks Laszlo
It's not necessarily dangerous, but it is better to sanitize the untrusted components of the filename, for instance with the $(sanitize) template function. This may or may not be available with PE 4.0.5 that you are using. On Mon, Mar 2, 2020 at 5:38 PM Pal, Laszlo <vlad@vlad.hu> wrote:
Thank you Bazsi,
This is really strange... only this client affected and not the other server which also running RHEL5 + PE4. Right now I'm investigating the issue caused several hours outage and I'm suspicious this behavior can be related to CPU spike caused freezing the whole machine. Is this possible?
I think I figured out why this happened :)
For this specific log source, I'm using a different destination like this
"/var/log/netlog/app/${HOST}/${PROGRAM}/${YEAR}/${MONTH}/${HOST}-${YEAR}${MONTH}${DAY}.log
I suppose, sometimes $PROGRAM is either empty, or contains strings which can cause this *Spurious path* issues.... can we say, using $PROGRAM in local destination is quite dangerous? :)
Thanks Laszlo
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi
participants (4)
-
Antal Nemes (anemes)
-
Balazs Scheidler
-
Matus UHLAR - fantomas
-
Pal, Laszlo