[syslog-ng]syslog-ng misinterpreting messages from Enterasys
Routers.
Rule, Ted
syslog-ng@lists.balabit.hu
Wed, 30 Jul 2003 11:47:01 +0100
Dunno if you wanted to know, but I'll answer it anyway.
My simple fix was to change this:
options {
chain_hostnames(no);
keep_hostname (yes);
to this:
options {
chain_hostnames(no);
check_hostname(yes); # Added to fix SSR decode bug
keep_hostname (yes); # Changed from yes to try and fix SSR decode b=
ug
# now changed back following use of check_hostname.=
..
in the Global Options settings... the default check_hostname code
hard-wired in the source were sufficient to avoid the problem of misinterpr=
etation, even=20
on my old v1.5.24 code at the time.
i.e. this bit of code was effectively enabled, causing it to skip over the =
%CONS-W-BADPASSWD
string by dint of it not being deemed a valid hostname character:
while (left && *src !=3D ' ' && *src !=3D ':'
&& *src !=3D '[') {
if (lm->flags & LF_CHECK_HOSTNAME &&
!((*src >=3D 'A' && *src <=3D 'Z') ||
(*src >=3D 'a' && *src <=3D 'z') ||
(*src >=3D '0' && *src <=3D '9') ||
*src =3D=3D '-' || *src =3D=3D '_' ||
*src =3D=3D '.' || *src =3D=3D ':' ||
*src =3D=3D '@' || *src =3D=3D '/')) {
break;
}
src++;
left--;
}
Ted
-----Original Message-----
From: "Urmas Jagomann" <urmas@eyp.ee>@FLEXTECH =20
Sent: Wednesday 30 July 2003 10:06
To: syslog-ng@lists.balabit.hu
Subject: Re: [syslog-ng]syslog-ng misinterpreting messages from Enterasys =
Routers.
=20
Lugupidamisega,
Urmas Jagomann
6655424
----- Original Message -----
From: <Ted_Rule@flextech.co.uk>
To: <syslog-ng@lists.balabit.hu>
Sent: Thursday, January 23, 2003 2:21 PM
Subject: [syslog-ng]syslog-ng misinterpreting messages from Enterasys
Routers.
>
>
> Having finally bitten the bullet and installed syslog-ng ( libol-0.3.6 /
> syslog-ng-1.5.24 ),
> I've only come across one problem... syslog messages from our Enterasys
Routers
> are being
> corrupted. All Unix and Cisco messages appear Ok.
>
> As an example, these raw packets from an SSR and a Cisco:
>
> tcpdump -s 512 -x -e -l -n udp and port 514 and host fttv-gps-core-ssrA |
> tcpdumpascii.pl
> tcpdump: listening on eth0
> 10:29:54.111864 0:e0:63:93:25:bf 0:50:8b:f3:93:46 ip 100:
192.168.32.11.4739 >
> 172.17.12.6.syslog: udp 58
> 4500 0056 73a2 0000 3f11 6f2a c0a8 200b E..Vs...?.o*.. .
> ac11 0c06 1283 0202 0042 b5ba 3c31 3838 .........B..<188
> 3e4a 616e 2032 3320 3130 3a32 393a 3533 >Jan 23 10:29:53
> 2025 434f 4e53 2d57 2d42 4144 5041 5353 %CONS-W-BADPASS
> 5744 2c20 696e 636f 7272 6563 7420 7061 WD, incorrect pa
> 7373 776f 7264 ssword
>
> 1 packets received by filter
> 0 packets dropped by kernel
>
> tcpdump -s 512 -x -e -l -n udp and port 514 and host
gps-enterprise-cisco-e0 |
> tcpdumpascii.pl
> tcpdump: listening on eth0
> 10:30:44.037939 0:10:7b:80:f:fb 0:50:8b:f3:93:46 ip 138: 172.17.8.76.8800
>
> 172.17.12.6.syslog: udp 96
> 4500 007c 29b5 0000 ff11 2547 ac11 084c E..|).....%G...L
> ac11 0c06 2260 0202 0068 187a 3c31 3839 ...."`...h.z<189
> 3e31 3036 3737 3a20 4a61 6e20 3233 2031 >10677: Jan 23 1
> 303a 3330 3a34 3320 474d 543a 2025 5359 0:30:43 GMT: %SY
> 532d 352d 434f 4e46 4947 5f49 3a20 436f S-5-CONFIG_I: Co
> 6e66 6967 7572 6564 2066 726f 6d20 636f nfigured from co
> 6e73 6f6c 6520 6279 2076 7479 3020 2831 nsole by vty0 (1
> 3732 2e31 372e 3132 2e37 3229 72.17.12.72)
>
>
> Result in this in the log:
>
> Jan 23 10:29:53 %CONS-W-BADPASSWD, incorrect password
> Jan 23 10:30:44 gps-enterprise-cisco-e0 10677: Jan 23 10:30:43 GMT:
> %SYS-5-CONFIG_I: Configured from console by vty0 (172.17.12.72)
>
>
> It looks as if syslog-ng is assuming %CONS-W-BADPASSWD is a
hostname....and the
> Cisco message picks up a hostname via DNS, which
> is NOT included in the packet.
>
>
> I note the version 1.5.25 has a bad_hostname() option. Is it possible th=
at
this
> may be used to alleviate this issue, or is some other workround
> needed? I'm guessing "keep_hostname(no)" might fix it, but would that
> potentially lead to other problems? Is there a summary of the algorithm
> which syslog-ng uses to determine whether the message contains a hostnam=
e?
>
>
>
> Current Options settings laid out below.
>
>
> ...............
>
> # Global Options Settings
> options {
> chain_hostnames(no);
> keep_hostname (yes);
> use_dns (yes);
> use_fqdn (no);
> long_hostnames (off);
> dns_cache(yes);
> dns_cache_size(100);
> dns_cache_expire(600);
> dns_cache_expire_failed(120);
>
> create_dirs (no);
> dir_owner(root);
> dir_group(root);
> dir_perm(0755);
> owner(root);
> group(root);
> perm(0600);
>
> stats(120);
>
> sync(10);
> time_reopen (10);
> time_reap(20);
>
> use_time_recvd(no);
>
> log_fifo_size (1000);
> log_msg_size (1024);
>
> gc_idle_threshold(100); ### default 100
> gc_busy_threshold(3000); ### default 3000
> };
>
> ...............
>
>
> Thanks,
>
>
> Ted
>
>
>
>
>
>
>
>
>
>
***************************************************************************=
*********************
This E-mail message, including any attachments, is intended only for the pe=
rson
or entity to which it is addressed, and may contain confidential informatio=
n.
If you are not the intended recipient, any review, retransmission, disclosu=
re,
copying, modification or other use of this E-mail message or attachments is
strictly forbidden.
If you have received this E-mail message in error, please contact the autho=
r and
delete the message and any attachments from your computer.
You are also advised that the views and opinions expressed in this E-mail
message and any attachments are the author's own, and may not reflect the v=
iews
and opinions of FLEXTECH Television Limited.
***************************************************************************=
*********************