syslog-ng 1.4.9a mixing up log sources?
Today, I upgraded to 1.4.9a on our Solaris log server. Some hours later, my "logcheck clone" reported strange things; our webserver's logs contained lines for netsrvm (part of the Mimer database). However, we do not run Mimer on that machine, but on some others. Sample log line (host names/IP:s changed): Nov 24 13:29:08 web.example/web.example netsrvm[15501]: connect from mimerclient.example<30>sshd[9892]: log: Connection from 192.168.1.1 port 57733 The second part could be a correct entry for the web machine. Please contact me personally if unmodified log lines are needed for some debugging. -- Kent Engström, Linköping University Incident Response Team kent@unit.liu.se abuse@liu.se +46 13 28 1744 UNIT, Linköping University; SE-581 83 LINKÖPING; SWEDEN
Strange similar things happened here on our Linux machine when using 1.4.9a. All Solaris logs seem to have gone into /dev/null and logs from Cisco equipment appeared randomly in other logs. This does not happen with 1.4.8. /Andreas Östling On Friday 24 November 2000 16:24, Kent Engström wrote:
Today, I upgraded to 1.4.9a on our Solaris log server. Some hours later, my "logcheck clone" reported strange things; our webserver's logs contained lines for netsrvm (part of the Mimer database). However, we do not run Mimer on that machine, but on some others.
Strange similar things happened here on our Linux machine when using 1.4.9a. All Solaris logs seem to have gone into /dev/null and logs from Cisco equipment appeared randomly in other logs. This does not happen with 1.4.8.
hmm...strange the patch to 1.4.9a affects only line parsing. I'll check this out. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
hi,
Today, I upgraded to 1.4.9a on our Solaris log server. Some hours later, my "logcheck clone" reported strange things; our webserver's logs contained lines for netsrvm (part of the Mimer database). However, we do not run Mimer on that machine, but on some others.
Sample log line (host names/IP:s changed):
Nov 24 13:29:08 web.example/web.example netsrvm[15501]: connect from mimerclient.example<30>sshd[9892]: log: Connection from 192.168.1.1 port 57733
The second part could be a correct entry for the web machine.
Please contact me personally if unmodified log lines are needed for some debugging.
can you check if this one fixes your problem: --- /home/bazsi/z/syslog-ng-1.4.9a/src/sources.c Thu Nov 23 09:27:15 2000 +++ sources.c Fri Nov 24 19:08:39 2000 @@ -100,8 +100,8 @@ eol = memchr(closure->buffer, '\0', closure->pos); if (eol == NULL) eol = memchr(closure->buffer, '\n', closure->pos); - if (!eol && closure->pos == MAX_LINE) { - /* our buffer is full, we have to flush it */ + if (!eol && closure->pos) { + /* we don't have a terminating nl nor \0 */ do_handle_line(closure, closure->pos, closure->buffer, salen ? (abstract_addr *) &sabuf : NULL, salen); closure->pos = 0; return ST_OK | ST_GOON; This restores the original behaviour (which I believed to be only used on HP-UXes) (you may have to touch sources.c.x after applying the patch) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
can you check if this one fixes your problem:
The patch seems to work for me. Regards, Andreas Östling
participants (3)
-
Andreas Östling
-
Balazs Scheidler
-
kent@unit.liu.se