[syslog-ng] Escaping problem using pipe to send to databases

strerror strerror at disciplina.net
Sun Jan 22 18:21:01 CET 2006


heya,

I've currently got a problem that I'd have thought other people have run into 
but all my googling / searching hasn't come up with anything. I'm currently 
sending my logs to a mysql database (but I believe the problem is generic to 
any db) with, what seems to be the normal configuration, eg:

destination db {
        pipe("/var/log/mysql.pipe"
                template("INSERT INTO logs
                (host, facility, priority, level, tag, datetime, program, msg)
                VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', 
'$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC',
                '$PROGRAM', '$MSG' );\n") template-escape(yes));
};

The logging all works fine in normal situations. The problem I have is that I 
have some unusual applications, like OpenCA (www.openca.org) that do weird 
logging, in the case of OpenCA, dumping xml type logs into syslog. The result 
of this is that it seems to completely break the pipe as mysql immediately 
complains that the syntax is not valid sql and the pipe effectively dies. 
Whats particularly frustrating is that the pipe invoking script is still up 
and running, so its not like I can easily write a quick script to check for 
the condition to restart it. I've noticed that this problem can also occur 
with the odd hostname for my dns server as well. In short, as far as I can 
see, anyone who is dumping syslogs into a db using pipe would be vulnerable 
to someone using "logger" to dump a nastily formatted message and then having 
their pipe collapse. I realise that you can send the syslog to an external 
program (I rewrote parts of sqlsyslogd.c before using the above 
syslog-ng.conf) and have it sanitise the input before injecting it into the 
db, but as documented, there are reasons, mainly performance, as to why you'd 
want to avoid that mechanism. So my question to the list, is there a nice, 
elegant way of avoiding badly written applications / malicious users, 
injecting broken looking entries and causing the pipe to die?

ttia,

-- 
strerror
http://www.disciplina.net
Fingerprint: B6A5 CD59 E6E7 5E71 D387 937A A4EF 4495 5865 0E8F
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20060122/86ff8546/attachment.pgp


More information about the syslog-ng mailing list