[Bug 134] New: AIX syslog message not parsed correctly for hostname
https://bugzilla.balabit.com/show_bug.cgi?id=134 Summary: AIX syslog message not parsed correctly for hostname Product: syslog-ng Version: 3.0.x Platform: PC OS/Version: Linux Status: NEW Severity: critical Priority: unspecified Component: syslog-ng AssignedTo: bazsi@balabit.hu ReportedBy: ericduda@yahoo.com Type of the Report: bug Estimated Hours: 0.0 U 1.1.1.1:32768 -> 2.2.2.2:514 <38>Sep 22 10:1 1:56 Message fo rwarded from cd aix66: sshd[67 9960]: Accepted publickey for nagios from 1. 9.1.1 port 4 2096 ssh2 This is AIX forwarded. The hostname (in the example, cdaix66) is not parsed correctly, and put into macro $HOST What you end up with is "1.1.1.1", which is not right, it should parse out "cdaix66". I'm running syslog-ng on rhel5. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=134 Gergely Nagy <algernon@balabit.hu> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |algernon@balabit.hu --- Comment #1 from Gergely Nagy <algernon@balabit.hu> 2011-09-22 23:51:50 --- Do you have keep_hostname(yes) in the config? Without that, or if set to "no" (I'm afraid I forgot which is the default), syslog-ng will not trust the sent hostname, and will try to determine the host itself. And since in your case, it's coming from 1.1.1.1, that's what it ends up with. Telling it to trust the sent hostname should do just that. If the problem persists with keep_hostname(yes), then this, indeed, is a bug. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=134 --- Comment #2 from Eric Duda <ericduda@yahoo.com> 2011-09-23 00:06:39 --- yes, keep hostname is yes: source s_net { udp(keep_hostname(yes)); tcp(ip(0.0.0.0) port(514) keep-alive(yes) keep_hostname(yes) max_connections(100)); }; -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=134 --- Comment #3 from Balazs Scheidler <bazsi@balabit.hu> 2011-09-23 22:28:40 --- indeed, it should work as described. I do remember the code in the parsing logic. might have become broken at some point. would be nice to check the unit tests if anything covers this. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=134 Balazs Scheidler <bazsi@balabit.hu> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution| |FIXED Status|NEW |RESOLVED --- Comment #4 from Balazs Scheidler <bazsi@balabit.hu> 2011-09-27 20:44:52 --- This patch fixes it in 3.3, backport should be possible, however not very simple, however this is how far I got at this time. commit bde16fe3cb7d6025ab3bb5463213a5a7f0cba290 Author: Balazs Scheidler <bazsi@balabit.hu> Date: Tue Sep 27 20:44:01 2011 +0200 syslogformat: handle AIX style message forwards properly There was a bug in processing AIX style message forwards, the hostname wasn't detected properly. This patch fixes that issue and adds a unit test to cover this case. Reported-By: ericduda@yahoo.com Cc: syslog-ng-stable@balabit.hu Signed-off-by: Balazs Scheidler <bazsi@balabit.hu> -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=134 --- Comment #5 from Eric Duda <ericduda@yahoo.com> 2011-09-27 23:23:33 --- Do you have plans to backport it to 3.0.x in the next few weeks? I'm not able to upgrade to 3.3 at this time. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
https://bugzilla.balabit.com/show_bug.cgi?id=134 --- Comment #6 from Balazs Scheidler <bazsi@balabit.hu> 2011-09-28 09:22:00 --- I don't maintain 3.0 anymore, 3.2 is the current stable version, and I'd backport there when I get to do a release. But why don't you try to locate the patched code in 3.0, the patch is really simple and a very similar code fragment is in logmsg.c in the 3.0 tree. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
participants (1)
-
bugzilla@bugzilla.balabit.com