[syslog-ng]Malformed Messages FRom syslogd
Keith Resar
syslog-ng@lists.balabit.hu
Wed, 2 Apr 2003 15:45:39 -0500
I'm running a syslog-ng process which is receiving messages from
Solaris 6, 7, and 8 machines generated by the native Solaris syslogd,
some of which originate from routers and other networking
infrastructure.
Occasionally I get radically malformed messages, which syslog-ng
places in the wrong locations. The file destination writes these
messages to $HOST/$PRIORITY, etc., but these varibales consist of
this munged data.
Unfortunately, this forces me to manually clean out and remove the
directory structure the messages created. Any ideas on how to
prevent this from happening in the first place?
I'm also concerned that a maliciously formed syslog packet could
cause syslog-ng to inadvertedly overwrite system files. For
example, if the file destination was:
/var/log/$HOST/$PROCESS
And the expansion was:
$HOST = "../../etc"
$PROCESS = "passwd";
This system file could be overwritten.
Any comments or information on internal syslog-ng checks to reassure
me from worrying about this?
Thanks,
Keith Resar.
--