Problems with rewrite set and template functions...
Hi all, I've come across a problem when using the rewrite set function with a template function. I've created a custom template function 'audit-TPTI-to-Email' and use it in a rewrite: rewrite r_audit_EMail { set("$(audit-TPTI-to-EMail ${MSG})", value("MSG")); }; Then call it: filter f_audit_pgm{program("AUDIT-*" type("glob"));}; log { source(s_local); filter(f_audit_pgm); log { destination(d_logID_02); }; log { rewrite(r_audit_EMail); rewrite(r_quote_newlines); destination(d_logID_13); }; flags(final); }; Everything work fine. Then if I add another call to rewrite (i.e. add a second email destination): filter f_audit_pgm{program("AUDIT-*" type("glob"));}; log { source(s_local); filter(f_audit_pgm); log { destination(d_logID_02); }; log { rewrite(r_audit_EMail); rewrite(r_quote_newlines); destination(d_logID_13); }; log { rewrite(r_audit_EMail); rewrite(r_quote_newlines); destination(d_logID_14); }; flags(final); }; Syslog-ng crashes with a segfault. I've narrowed in down to any template function (just to make sure *I* wasn't screwing something up in my custom function): rewrite r_echo { set("$(echo $PROGRAM)" value("PROGRAM")); }; destination d_test1{ file("/var/log/test1.log"); }; destination d_test2{ file("/var/log/test2.log"); }; log { source(s_local); log { rewrite(r_echo); destination(d_test1); }; log { rewrite(r_echo); destination(d_test2); }; }; The backtrace: Backtrace: /usr/local/lib/libsyslog-ng-3.3.3.so(plugin_find+0x39)[0x7f3eb76ff019] /usr/local/lib/libsyslog-ng-3.3.3.so(log_template_compile+0x84f)[0x7f3eb7703baf] /usr/local/lib/libsyslog-ng-3.3.3.so(log_rewrite_set_new+0x99)[0x7f3eb76f3349] /usr/local/lib/libsyslog-ng-3.3.3.so[0x7f3eb76f3371] /usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init_pipe_line+0x35d)[0x7f3eb76dfecd] /usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init_pipe_line+0xd2)[0x7f3eb76dfc42] /usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init+0x56)[0x7f3eb76e0226] /usr/local/lib/libsyslog-ng-3.3.3.so(cfg_init+0xb0)[0x7f3eb76e1530] /usr/local/lib/libsyslog-ng-3.3.3.so(main_loop_init+0x11b)[0x7f3eb76f9abb] /usr/local/sbin/syslog-ng(main+0x11f)[0x40168f] /lib/libc.so.6(__libc_start_main+0xe6)[0x7f3eb6240126] /usr/local/sbin/syslog-ng[0x401379] I threw in some debug statements: LogRewrite * log_rewrite_set_new(const gchar *new_value) { fprintf(stderr, "%s('%s'):\n", __FUNCTION__, new_value); Plugin * plugin_find(GlobalConfig *cfg, gint plugin_type, const gchar *plugin_name) { fprintf(stderr, "%s(%p, %d, '%s'): '\n", __FUNCTION__, cfg, plugin_type, plugin_name); Which showed that the 'cfg' pointer is null when rewrite is called the second time: log_rewrite_set_new('$(echo $PROGRAM)'): plugin_find(0x60e210, 13, 'echo'): ' plugin_find: plugin->name = 'sys-to-EMail' plugin_find: plugin->name = 'audit-TPTI-to-EMail' plugin_find: plugin->name = 'quar-TPTI-to-EMail' plugin_find: plugin->name = 'quar-TPTI-to-CEF' plugin_find: plugin->name = 'tab-to-bar' plugin_find: plugin->name = 'tab-to-semicolon' plugin_find: plugin->name = 'tab-to-comma' plugin_find: plugin->name = 'to-upper-case' plugin_find: plugin->name = 'to-lower-case' plugin_find: plugin->name = 'ipv4-to-int' plugin_find: plugin->name = 'log-session-seqnum' plugin_find: plugin->name = 'indent-multi-line' plugin_find: plugin->name = 'if' plugin_find: plugin->name = 'grep' plugin_find: plugin->name = 'echo' plugin_find(0x60e210, 2, 'file'): ' [...] log_rewrite_set_new('$(echo $PROGRAM)'): plugin_find((nil), 13, 'echo'): ' *** Segmentation fault Sooo, my questions are: Is this expected behavior? Has this been patched already? Is there another way I can call a custom function to reformat the message field on a destination-by-destination basis? Thanks, Chris ---------------------------------------- Christopher Johnson chris.johnson3@hp.com<mailto:chris.johnson3@hp.com> HP Software - Security Product Group (916) 785-2817 ----------------------------------------
Hi, I recall something related, but I need to check. In that case the clone method wasn't properly initializing all the fields of an object in case it is referenced multiple times. Which version are you using? I see you have implemented a number of interesting template functions, I'd like to integrate them to syslog-ng if you are permitted to contribute them. Also, you might be able to get rid of rewrite rules and simply use the template option for file destinations, that'd get your config much simpler. And another note, 3.4 offers junctions and channels that again can make it possible to enclose your rewrites into reusable blocks, and by the use of inline objects, would also simplify the configuration a lot. Cheers, ----- Original message -----
Hi all, I've come across a problem when using the rewrite set function with a template function. I've created a custom template function 'audit-TPTI-to-Email' and use it in a rewrite: rewrite r_audit_EMail { set("$(audit-TPTI-to-EMail ${MSG})", value("MSG")); };
Then call it: filter f_audit_pgm{program("AUDIT-*" type("glob"));}; log { source(s_local); filter(f_audit_pgm); log { destination(d_logID_02); }; log { rewrite(r_audit_EMail); rewrite(r_quote_newlines); destination(d_logID_13); }; flags(final); }; Everything work fine. Then if I add another call to rewrite (i.e. add a second email destination): filter f_audit_pgm{program("AUDIT-*" type("glob"));}; log { source(s_local); filter(f_audit_pgm); log { destination(d_logID_02); }; log { rewrite(r_audit_EMail); rewrite(r_quote_newlines); destination(d_logID_13); }; log { rewrite(r_audit_EMail); rewrite(r_quote_newlines); destination(d_logID_14); }; flags(final); }; Syslog-ng crashes with a segfault. I've narrowed in down to any template function (just to make sure *I* wasn't screwing something up in my custom function): rewrite r_echo { set("$(echo $PROGRAM)" value("PROGRAM")); }; destination d_test1{ file("/var/log/test1.log"); }; destination d_test2{ file("/var/log/test2.log"); };
log { source(s_local); log { rewrite(r_echo); destination(d_test1); }; log { rewrite(r_echo); destination(d_test2); }; };
The backtrace: Backtrace: /usr/local/lib/libsyslog-ng-3.3.3.so(plugin_find+0x39)[0x7f3eb76ff019] /usr/local/lib/libsyslog-ng-3.3.3.so(log_template_compile+0x84f)[0x7f3eb7703baf] /usr/local/lib/libsyslog-ng-3.3.3.so(log_rewrite_set_new+0x99)[0x7f3eb76f3349] /usr/local/lib/libsyslog-ng-3.3.3.so[0x7f3eb76f3371] /usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init_pipe_line+0x35d)[0x7f3eb76dfecd] /usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init_pipe_line+0xd2)[0x7f3eb76dfc42] /usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init+0x56)[0x7f3eb76e0226] /usr/local/lib/libsyslog-ng-3.3.3.so(cfg_init+0xb0)[0x7f3eb76e1530] /usr/local/lib/libsyslog-ng-3.3.3.so(main_loop_init+0x11b)[0x7f3eb76f9abb] /usr/local/sbin/syslog-ng(main+0x11f)[0x40168f] /lib/libc.so.6(__libc_start_main+0xe6)[0x7f3eb6240126] /usr/local/sbin/syslog-ng[0x401379]
I threw in some debug statements: LogRewrite * log_rewrite_set_new(const gchar *new_value) { fprintf(stderr, "%s('%s'):\n", __FUNCTION__, new_value);
Plugin * plugin_find(GlobalConfig *cfg, gint plugin_type, const gchar *plugin_name) { fprintf(stderr, "%s(%p, %d, '%s'): '\n", __FUNCTION__, cfg, plugin_type, plugin_name);
Which showed that the 'cfg' pointer is null when rewrite is called the second time: log_rewrite_set_new('$(echo $PROGRAM)'): plugin_find(0x60e210, 13, 'echo'): ' plugin_find: plugin->name = 'sys-to-EMail' plugin_find: plugin->name = 'audit-TPTI-to-EMail' plugin_find: plugin->name = 'quar-TPTI-to-EMail' plugin_find: plugin->name = 'quar-TPTI-to-CEF' plugin_find: plugin->name = 'tab-to-bar' plugin_find: plugin->name = 'tab-to-semicolon' plugin_find: plugin->name = 'tab-to-comma' plugin_find: plugin->name = 'to-upper-case' plugin_find: plugin->name = 'to-lower-case' plugin_find: plugin->name = 'ipv4-to-int' plugin_find: plugin->name = 'log-session-seqnum' plugin_find: plugin->name = 'indent-multi-line' plugin_find: plugin->name = 'if' plugin_find: plugin->name = 'grep' plugin_find: plugin->name = 'echo' plugin_find(0x60e210, 2, 'file'): ' [...] log_rewrite_set_new('$(echo $PROGRAM)'): plugin_find((nil), 13, 'echo'): ' *** Segmentation fault
Sooo, my questions are: Is this expected behavior? Has this been patched already? Is there another way I can call a custom function to reformat the message field on a destination-by-destination basis?
Thanks, Chris
---------------------------------------- Christopher Johnson chris.johnson3@hp.com<mailto:chris.johnson3@hp.com> HP Software - Security Product Group (916) 785-2817 ----------------------------------------
Oops, forgot the version… I'm running 3.3.3. For now, I'm locked into using version 3.3.3. In my implementation, I'm defining destinations once (local log file, remote syslog server, Email address, …) and use them for multiple services. Each service can have a different message format for each destination, and I want to avoid defining a new destination for each service/destination combination. Upon further investigation, I think I can use the 'if' template function to pick which of my custom functions to use and avoid the rewrites. The template functions that I can release are: Using 'ipv4-to-int' as a template and added these to 'modules/convertfuncs/convert-funcs.c': /* * HP - add a 'to-lower-case' function * change case to lower for a string */ static void tf_to_lower_case(LogMessage *msg, gint argc, GString *argv[], GString *result) { gint i; for (i = 0; i < argc; i++) { char *p; p = argv[i]->str; while (*p) g_string_append_c(result, tolower(*p++)); if (i < argc -1) g_string_append_c(result, ' '); } } /* * HP - add a 'to-upper-case' function * change case to upper for a string */ static void tf_to_upper_case(LogMessage *msg, gint argc, GString *argv[], GString *result) { gint i; for (i = 0; i < argc; i++) { char *p; p = argv[i]->str; while (*p) g_string_append_c(result, toupper(*p++)); if (i < argc -1) g_string_append_c(result, ' '); } } /* * HP - add a 'tab-to-comma' function * change tabs to commas ',' in a string */ static void tf_tab_to_comma(LogMessage *msg, gint argc, GString *argv[], GString *result) { gint i; for (i = 0; i < argc; i++) { char *p; p = argv[i]->str; while (*p) g_string_append_c(result, (*p++ == '\t')?',':*(p-1)); if (i < argc -1) g_string_append_c(result, ' '); } } /* * HP - add a 'tab_to_semicolon' function * change tabs to semicolons ';' in a string */ static void tf_tab_to_semicolon(LogMessage *msg, gint argc, GString *argv[], GString *result) { gint i; for (i = 0; i < argc; i++) { char *p; p = argv[i]->str; while (*p) g_string_append_c(result, (*p++ == '\t')?';':*(p-1)); if (i < argc -1) g_string_append_c(result, ' '); } } /* * HP - add a 'tab-to-Bar' function * change tabs to bars '|' in a string */ static void tf_tab_to_bar(LogMessage *msg, gint argc, GString *argv[], GString *result) { gint i; for (i = 0; i < argc; i++) { char *p; p = argv[i]->str; while (*p) g_string_append_c(result, (*p++ == '\t')?'|':*(p-1)); if (i < argc -1) g_string_append_c(result, ' '); } } TEMPLATE_FUNCTION_SIMPLE(tf_ipv4_to_int); TEMPLATE_FUNCTION_SIMPLE(tf_to_lower_case); TEMPLATE_FUNCTION_SIMPLE(tf_to_upper_case); TEMPLATE_FUNCTION_SIMPLE(tf_tab_to_comma); TEMPLATE_FUNCTION_SIMPLE(tf_tab_to_semicolon); TEMPLATE_FUNCTION_SIMPLE(tf_tab_to_bar); static Plugin convert_func_plugins[] = { TEMPLATE_FUNCTION_PLUGIN(tf_ipv4_to_int, "ipv4-to-int"), TEMPLATE_FUNCTION_PLUGIN(tf_to_lower_case, "to-lower-case"), TEMPLATE_FUNCTION_PLUGIN(tf_to_upper_case, "to-upper-case"), TEMPLATE_FUNCTION_PLUGIN(tf_tab_to_comma, "tab-to-comma"), TEMPLATE_FUNCTION_PLUGIN(tf_tab_to_semicolon, "tab-to-semicolon"), TEMPLATE_FUNCTION_PLUGIN(tf_tab_to_bar, "tab-to-bar"), }; Chris From: Balazs Scheidler [mailto:bazsi77@gmail.com] Sent: Friday, January 25, 2013 10:48 PM To: Syslog-ng users' and developers' mailing list; Johnson, Chris (HP TippingPoint Roseville) Subject: Re: [syslog-ng] Problems with rewrite set and template functions... Hi, I recall something related, but I need to check. In that case the clone method wasn't properly initializing all the fields of an object in case it is referenced multiple times. Which version are you using? I see you have implemented a number of interesting template functions, I'd like to integrate them to syslog-ng if you are permitted to contribute them. Also, you might be able to get rid of rewrite rules and simply use the template option for file destinations, that'd get your config much simpler. And another note, 3.4 offers junctions and channels that again can make it possible to enclose your rewrites into reusable blocks, and by the use of inline objects, would also simplify the configuration a lot. Cheers, ----- Original message -----
Hi all, I've come across a problem when using the rewrite set function with a template function. I've created a custom template function 'audit-TPTI-to-Email' and use it in a rewrite: rewrite r_audit_EMail { set("$(audit-TPTI-to-EMail ${MSG})", value("MSG")); };
Then call it: filter f_audit_pgm{program("AUDIT-*" type("glob"));}; log { source(s_local); filter(f_audit_pgm); log { destination(d_logID_02); }; log { rewrite(r_audit_EMail); rewrite(r_quote_newlines); destination(d_logID_13); }; flags(final); }; Everything work fine. Then if I add another call to rewrite (i.e. add a second email destination): filter f_audit_pgm{program("AUDIT-*" type("glob"));}; log { source(s_local); filter(f_audit_pgm); log { destination(d_logID_02); }; log { rewrite(r_audit_EMail); rewrite(r_quote_newlines); destination(d_logID_13); }; log { rewrite(r_audit_EMail); rewrite(r_quote_newlines); destination(d_logID_14); }; flags(final); }; Syslog-ng crashes with a segfault. I've narrowed in down to any template function (just to make sure *I* wasn't screwing something up in my custom function): rewrite r_echo { set("$(echo $PROGRAM)" value("PROGRAM")); }; destination d_test1{ file("/var/log/test1.log"); }; destination d_test2{ file("/var/log/test2.log"); };
log { source(s_local); log { rewrite(r_echo); destination(d_test1); }; log { rewrite(r_echo); destination(d_test2); }; };
The backtrace: Backtrace: /usr/local/lib/libsyslog-ng-3.3.3.so(plugin_find+0x39)[0x7f3eb76ff019] /usr/local/lib/libsyslog-ng-3.3.3.so(log_template_compile+0x84f)[0x7f3eb7703baf] /usr/local/lib/libsyslog-ng-3.3.3.so(log_rewrite_set_new+0x99)[0x7f3eb76f3349] /usr/local/lib/libsyslog-ng-3.3.3.so[0x7f3eb76f3371] /usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init_pipe_line+0x35d)[0x7f3eb76dfecd] /usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init_pipe_line+0xd2)[0x7f3eb76dfc42] /usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init+0x56)[0x7f3eb76e0226] /usr/local/lib/libsyslog-ng-3.3.3.so(cfg_init+0xb0)[0x7f3eb76e1530] /usr/local/lib/libsyslog-ng-3.3.3.so(main_loop_init+0x11b)[0x7f3eb76f9abb] /usr/local/sbin/syslog-ng(main+0x11f)[0x40168f] /lib/libc.so.6(__libc_start_main+0xe6)[0x7f3eb6240126] /usr/local/sbin/syslog-ng[0x401379]
I threw in some debug statements: LogRewrite * log_rewrite_set_new(const gchar *new_value) { fprintf(stderr, "%s('%s'):\n", __FUNCTION__, new_value);
Plugin * plugin_find(GlobalConfig *cfg, gint plugin_type, const gchar *plugin_name) { fprintf(stderr, "%s(%p, %d, '%s'): '\n", __FUNCTION__, cfg, plugin_type, plugin_name);
Which showed that the 'cfg' pointer is null when rewrite is called the second time: log_rewrite_set_new('$(echo $PROGRAM)'): plugin_find(0x60e210, 13, 'echo'): ' plugin_find: plugin->name = 'sys-to-EMail' plugin_find: plugin->name = 'audit-TPTI-to-EMail' plugin_find: plugin->name = 'quar-TPTI-to-EMail' plugin_find: plugin->name = 'quar-TPTI-to-CEF' plugin_find: plugin->name = 'tab-to-bar' plugin_find: plugin->name = 'tab-to-semicolon' plugin_find: plugin->name = 'tab-to-comma' plugin_find: plugin->name = 'to-upper-case' plugin_find: plugin->name = 'to-lower-case' plugin_find: plugin->name = 'ipv4-to-int' plugin_find: plugin->name = 'log-session-seqnum' plugin_find: plugin->name = 'indent-multi-line' plugin_find: plugin->name = 'if' plugin_find: plugin->name = 'grep' plugin_find: plugin->name = 'echo' plugin_find(0x60e210, 2, 'file'): ' [...] log_rewrite_set_new('$(echo $PROGRAM)'): plugin_find((nil), 13, 'echo'): ' *** Segmentation fault
Sooo, my questions are: Is this expected behavior? Has this been patched already? Is there another way I can call a custom function to reformat the message field on a destination-by-destination basis?
Thanks, Chris
---------------------------------------- Christopher Johnson chris.johnson3@hp.com<mailto:chris.johnson3@hp.com><mailto:chris.johnson3@hp.com> HP Software - Security Product Group (916) 785-2817 ----------------------------------------
"Johnson, Chris (HP TippingPoint Roseville)" <chris.johnson3@hp.com> writes:
Oops, forgot the version… I'm running 3.3.3.
For now, I'm locked into using version 3.3.3.
I applied Bazsi's fix to 3.3 aswell, the following patch should apply cleanly to 3.3.3 aswell: https://github.com/algernon/syslog-ng/commit/0fdc8d69fbe9492f79e917c4d26514d... Though, I would highly recommend upgrading to 3.3.8, there's been a ton of things fixed since 3.3.3.
The template functions that I can release are: Using 'ipv4-to-int' as a template and added these to 'modules/convertfuncs/convert-funcs.c':
[...] Thanks, I'll pick these for 3.5, once I get there! -- |8]
"Johnson, Chris (HP TippingPoint Roseville)" <chris.johnson3@hp.com> writes:
The template functions that I can release are: Using 'ipv4-to-int' as a template and added these to 'modules/convertfuncs/convert-funcs.c':
Better later than never, I finally got around to these template functions, and they're going to hit my merge-queue/3.5 branch soon. For upper-case and lower-case, I used g_utf8_strup() and g_utf8_strdown() instead of toupper() and tolower(), so that it works on UTF8 chars too, not just ASCII. I did not pick the tf_tab_to_$something functions, but implemented $(delimit) instead, which can replace a number of delimiters within a string with another delimiter. So $(tab-to-comma $MESSAGE) would become $(delimit "\t" "," $MESSAGE), and so on. I did not add shortcuts for now. -- |8]
Hi This patch should fix the segmentation fault, I've committed this to 3.4 master, thanks for reporting it. Should apply to 3.3 too, I'm not sure which release you are using. commit 077c669c2dcca7b7323e7a42dcaba94755d3bc23 Author: Balazs Scheidler <bazsi@balabit.hu> Date: Sat Jan 26 13:53:22 2013 +0100 logrewrite: fix rewrite set/subst related segfault If a set/rewrite operation is referenced from multiple locations, and it uses template functions, a segfault has occurred, as the clone operation didn't properly propagate the associated configuration object, which rendered template->cfg to be NULL, which in turn caused template-function lookup code to dereference a NULL pointer. This was fixed by two dependent changes: - always passing the already-compiled LogTemplate to the rewrite operations instead of a string constant. - reusing the compiled template object in clone() Since LogTemplate is reused, and the first one contains a proper reference to the appropriate configuration object, the NULL deref issue was solved too. Reported-By: Johnson, Chris <chris.johnson3@hp.com> Signed-off-by: Balazs Scheidler <bazsi@balabit.hu> On Fri, 2013-01-25 at 23:43 +0000, Johnson, Chris (HP TippingPoint Roseville) wrote:
Hi all,
I've come across a problem when using the rewrite set function with a template function.
I've created a custom template function 'audit-TPTI-to-Email' and use it in a rewrite:
rewrite r_audit_EMail {
set("$(audit-TPTI-to-EMail ${MSG})", value("MSG"));
};
Then call it:
filter f_audit_pgm{program("AUDIT-*" type("glob"));};
log {
source(s_local);
filter(f_audit_pgm);
log {
destination(d_logID_02);
};
log {
rewrite(r_audit_EMail);
rewrite(r_quote_newlines);
destination(d_logID_13);
};
flags(final);
};
Everything work fine.
Then if I add another call to rewrite (i.e. add a second email destination):
filter f_audit_pgm{program("AUDIT-*" type("glob"));};
log {
source(s_local);
filter(f_audit_pgm);
log {
destination(d_logID_02);
};
log {
rewrite(r_audit_EMail);
rewrite(r_quote_newlines);
destination(d_logID_13);
};
log {
rewrite(r_audit_EMail);
rewrite(r_quote_newlines);
destination(d_logID_14);
};
flags(final);
};
Syslog-ng crashes with a segfault.
I've narrowed in down to any template function (just to make sure *I* wasn't screwing something up in my custom function):
rewrite r_echo { set("$(echo $PROGRAM)" value("PROGRAM")); };
destination d_test1{ file("/var/log/test1.log"); };
destination d_test2{ file("/var/log/test2.log"); };
log {
source(s_local);
log {
rewrite(r_echo);
destination(d_test1);
};
log {
rewrite(r_echo);
destination(d_test2);
};
};
The backtrace:
Backtrace:
/usr/local/lib/libsyslog-ng-3.3.3.so(plugin_find+0x39)[0x7f3eb76ff019]
/usr/local/lib/libsyslog-ng-3.3.3.so(log_template_compile +0x84f)[0x7f3eb7703baf]
/usr/local/lib/libsyslog-ng-3.3.3.so(log_rewrite_set_new +0x99)[0x7f3eb76f3349]
/usr/local/lib/libsyslog-ng-3.3.3.so[0x7f3eb76f3371]
/usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init_pipe_line +0x35d)[0x7f3eb76dfecd]
/usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init_pipe_line +0xd2)[0x7f3eb76dfc42]
/usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init +0x56)[0x7f3eb76e0226]
/usr/local/lib/libsyslog-ng-3.3.3.so(cfg_init+0xb0)[0x7f3eb76e1530]
/usr/local/lib/libsyslog-ng-3.3.3.so(main_loop_init +0x11b)[0x7f3eb76f9abb]
/usr/local/sbin/syslog-ng(main+0x11f)[0x40168f]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7f3eb6240126]
/usr/local/sbin/syslog-ng[0x401379]
I threw in some debug statements:
LogRewrite *
log_rewrite_set_new(const gchar *new_value)
{
fprintf(stderr, "%s('%s'):\n", __FUNCTION__, new_value);
Plugin *
plugin_find(GlobalConfig *cfg, gint plugin_type, const gchar *plugin_name)
{
fprintf(stderr, "%s(%p, %d, '%s'): '\n", __FUNCTION__, cfg, plugin_type, plugin_name);
Which showed that the 'cfg' pointer is null when rewrite is called the second time:
log_rewrite_set_new('$(echo $PROGRAM)'):
plugin_find(0x60e210, 13, 'echo'): '
plugin_find: plugin->name = 'sys-to-EMail'
plugin_find: plugin->name = 'audit-TPTI-to-EMail'
plugin_find: plugin->name = 'quar-TPTI-to-EMail'
plugin_find: plugin->name = 'quar-TPTI-to-CEF'
plugin_find: plugin->name = 'tab-to-bar'
plugin_find: plugin->name = 'tab-to-semicolon'
plugin_find: plugin->name = 'tab-to-comma'
plugin_find: plugin->name = 'to-upper-case'
plugin_find: plugin->name = 'to-lower-case'
plugin_find: plugin->name = 'ipv4-to-int'
plugin_find: plugin->name = 'log-session-seqnum'
plugin_find: plugin->name = 'indent-multi-line'
plugin_find: plugin->name = 'if'
plugin_find: plugin->name = 'grep'
plugin_find: plugin->name = 'echo'
plugin_find(0x60e210, 2, 'file'): '
[...]
log_rewrite_set_new('$(echo $PROGRAM)'):
plugin_find((nil), 13, 'echo'): '
*** Segmentation fault
Sooo, my questions are:
Is this expected behavior?
Has this been patched already?
Is there another way I can call a custom function to reformat the message field on a destination-by-destination basis?
Thanks,
Chris
----------------------------------------
Christopher Johnson
chris.johnson3@hp.com
HP Software - Security Product Group
(916) 785-2817
----------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (3)
-
Balazs Scheidler
-
Gergely Nagy
-
Johnson, Chris (HP TippingPoint Roseville)