[syslog-ng]syslog-ng mistreating data as part of the hos tname ?

Balazs Scheidler bazsi@balabit.hu
Sat, 19 Jan 2002 22:06:27 +0100


On Fri, Jan 18, 2002 at 10:35:28AM -0800, Nate Campi wrote:
> On Thu, Jan 17, 2002 at 08:48:23AM +0100, Hildenbrand, Patrick wrote:
> > On Wed, Jan 16, 2002 at 07:45:26PM +0100, Nate Campi wrote:
> > >On Wed, Jan 16, 2002 at 05:14:11PM +0100, Hildenbrand, Patrick wrote:
> > >
> > ><123>named[123]: another error from BIND, you should use djbdns
> 
> > my debugging showed the prio beeing only two digits (ex. <23>) but yes and
> > the difference is, 
> 
> The PRI is between 0 (one digit) and 192 (3 digits), no leading 0's
> unless it is the number zero. This variance is normal.
> 
> > there is even no timestamp, why this case is explicitly covered in the RFC,
> > while the case of the cabeltron ssr is not. This is probably also why
> > syslog-ng does not have a problem with this case, it gets logged as:
> > 	Jan 17 08:11:21 hwdf0006/hwdf0006 PAM_pwdb[22525]: (sshd) session
> > close
> > so syslog-ng correctly adds time and hostname to the log entry.
> > The format of linux (and others) is:
> > <Prio>message
> > The format of the SSR is:
> > <Prio>datetime<space>message
> 
> Solaris does it the same way. No hostname is ever sent, but the rest
> of the HEADER is sent.
> 
> > The format the RFC suggests is:
> > <Prio>datetime{space}hostname{space}message
> > 
> > >It is up to the relay/collector to input the complete header.
> 
> > this is my understanding from the rfc too, but how do I get this using
> > syslog-ng ?
> 
> You cannot. I had to write a proxy that inserts the hostname before the
> message. syslog-ng is following the RFC (before it was even written ;),
> it cannot know whether a string is a hostname or the beginning of the
> message. It has to assume that if the rest of the HEADER is there, the
> hostname must be correct.
> 
> > 
> > >I missed the beggining of this thread, is "%ACL_LOG-I-DENY" getting set
> > >as your hostname? I had the same problem with solaris logs when the
> > >"TAG" field had a space in it, so syslog-ng (correctly) thinks the first
> > >part of the process name (in the "TAG") was the hostname. I wrote a
> > >syslog proxy to overcome this, since I can't ask syslog-ng to stop
> > >following standards.
> 
> > as said above, there is one space between date and message but according to
> > the standard, 
> > there is no standard on how devices do send their messages
> > >Perhaps syslog-ng can have a configuration setting where if it receives
> > >a certain string in the hostname field, you can set keep-hostname to no
> > >for just that message. That would save the day for me, but I don't know
> > >how hard it would be to implement that.
> 
> > Well I would vote for getting a setting just the other way around, so for
> > being able to configure something like
> > options( addhostname(<pattern>) 
> > which would lead to the hostname being added if the pattern is matched and
> > the pattern then being treated as part of the message.
> > For me this just would be a '^%' as every message of the ssr is prepended
> > with the percent sign ;-)
> 
> D'oh! That's actually what I meant, I sent off the message too fast and
> didn't feel like replying to my own message with a correction.
> 
> > BTW: I do not know how the linux syslog does it, but it does not have this
> > problem. Maybe because '%' is not a valid char for hostnames. linux syslog
> > is a pretty standard syslog I'd guess, though you could argue, wether  this
> > is correct according to the standard. Linux syslog displays the message
> > above as:
> > Jan 13 04:02:12 1.2.3.4 %ACL_LOG-I-DENY, ACL [280] on "rtfa" UDP
> > 192.168.1.2:4721 -> 14.9.1.3:53
> > so it automagically adds the ip address to the message. Again maybe because
> > of the '%' and ',' signs inside the string at the <hostname> position.
> 
> Balazs, could syslog-ng do the same here please? You haven't reponded to
> any of my message lately asking for input on feature requests. Maybe I'm
> so out of line you just don't want to respond :(

It's nothing personal. I'm more -or less following the discussion, but I
simply have no time. I'm loaded with Zorp related tasks, and syslog-ng is
currently at a low priorirty. The few minutes I spend on syslog-ng is
abolsutely in my  free time.

I have a bugreport about leaking file descriptors in file sources, and thats
the first thing I want to fix.

Message parsing is as follows: (it's in the file log.c, function
parse_log_msg)

* parse priority if present (decided based on the first chracter)
* skip white space if present
* check if we have something that looks like date
  * if we have date:
    * skip white space after date
    * check if we have an AIX "forwarded for" or a "last message repeated" message
    * if nothing is special, we look for the first word up to  ' ' or ':' or '['
    * if the first word isended by a space, it is taken as hostname, otherwise as programname
  * if we don't have date:
    * the first word up to ' ' or '[' or ':' or '/' or ',' or '<' is taken as programname

So the message is above is parsed as follows:
date=Jan 13 04:02:12
hostname=%ACL_LOG-I-DENY,
msg=ACL [280] on "rtfa" UDP 192.168.1.2:4721 -> 14.9.1.3:53

if keep-hostname is on, syslog-ng will not add a hostname, but will keep %ACL_LOG-I-DENY.

if keep-hostname is off, syslog-ng will substitute the hostname (or IP
address) of the host it received the message from instead of %ACL_LOG-I-DENY,.

chain-hostnames may vary this behaviour a bit. I think an option
"missing-hostname" on a per source basis might be useful. Or some new
filters which would modify message parts.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1