[syslog-ng]bug report: unparsable UDP syslog message

Thomas Morin syslog-ng@lists.balabit.hu
Mon, 22 Sep 2003 11:21:35 +0200


Hi,

First of all I'd like to say I'm impressed by syslog-ng. I think this is 
a great software: powerful, configurable and elegant. Thanks for making
it free software !

That said, I hope a little bug report can improve the thing.. :)

Context: I'm using a syslog plugin written for the log4j package 
(java logging) to send syslog messages to a central log host 
(syslog-ng 1.6.0rc3).

There is one case where some messages are not properly read by syslog-ng, and
which trigger "unparsable log message" errors, though they seem to be properly
formed syslog messages.

The precise packets triggering this case [tcpdump and ethereal helped me a lot
here] are UDP syslog packets which are not terminated by a NULL byte, but
which contain one or many NEWLINE bytes inside the message, and after some of
those NEWLINES we find a '<' character (actually because log4j is used to dump
some xml formatted data) :

<xx>javaProgram: here is the dump:\n<xml stuff>\n<foo/></xml>

The same UDP datagram with a NULL byte in the end doesn't trigger the
"unparseable log message" error.

The code in src/sources.c (lines 112-120) seems to use the first newline char
as the end of line if it doesn't find a '\0', even if this newline char is not
the end of our packet. This makes the <  of '<xml' be seen as the start of a
syslog message, and syslog-ng then tries to interpret '<xml stuff>' as a
syslog standard prefix, which of course fails, so we got this "unparseable log
message" error. At least, that's what I would concluded, but I'm not C expert,
nor very knowledgeable about syslog-ng.

If I read the RFC well, not terminating a syslog message by a NULL byte is
fine, so I would say this is a syslog-ng bug.  

I hope the information provided can help you correct this bug.

Cheers,

-Thomas

PS: this report was already sent a few days ago, but I wasn't subscribed at
the time, and the mail was moderated/filtered, and hasn't reached the list yet...

-- 
== Thomas Morin
== PGP Id:8CEA233D   Key FP:503BF6CFD3AE8719377B832A02FB94E08CEA233D
--