[syslog-ng] incorrect firewall logs with syslogng-2.0.0 [security error?]

Jacek Kalinski jacek_kal at o2.pl
Thu Nov 30 00:31:34 CET 2006


Hello,

After upgradeing from syslogng-1.6.11 to 2.0.0 I've got a strange
messages in /var/log/messages file:

Nov 29 08:14:05 denise WINDOW=16985 RES=0x00 ACK URGP=0
Nov 29 11:10:19 denise PT=34536 WINDOW=16985 RES=0x00 ACK URGP=0
Nov 29 16:42:16 denise W=0 RES=0x00 RST URGP=0
Nov 29 21:37:15 denise 116 ID=34901 DF PROTO=TCP SPT=3584 DPT=80
WINDOW=65535 RES=0x00 ACK FIN URGP=0

These are truncated iptables logs.
Because in firewall.log file are simmilar entries to truncated one, I
think full file should be:
Nov 29 11:10:19 denise firewallp=INVALID:1 a=DROP IN=eth1 OUT=
MAC=00:30:4f:36:2b:dc:00:04:9a:2c:7f:20:08:00 SRC=193.41.230.81
DST=xxx.xxx.xxx.x LEN=576 TOS=0x00 PREC=0x00 TTL=117 ID=3495 PROTO=TCP
SPT=443 DPT=34536 WINDOW=16985 RES=0x00 ACK URGP=0
(xxx.xxx.xxx.x is a real server IP address - one 'x' is one digit)

Config file with interesting lines:
options { dir_perm(0700); perm(0600); chain_hostnames(no); stats(1200);
          keep_hostname(yes); dir_owner(root); dir_group(root);
owner(root); group(root); };

source local {
        unix-stream("/dev/log" max_connections(300)); file("/proc/kmsg");
#        udp(ip(0.0.0.0) port(514));
        internal();
};
# .....
#       authpriv.none;cron.none;mail.none;news.none -/var/log/messages

filter f_2 {
        not facility(news);
};

filter f_3 {
        not facility(local5);
};

filter f_4 {
        not facility(local6);
};

filter f_5 {
        not facility(authpriv);
};

filter f_6 {
        not facility(cron);
};

filter f_7 {
        not facility(mail);
};

filter f_notlocal7 {
        not facility(local7);
};

filter f_notfirewall {
        not match("firewallp=");
};

destination d_2 {
        file("/var/log/messages" create_dirs(yes));
};

log { source(local); filter(f_2); filter(f_4); filter(f_5); filter(f_6);
filter(f_7); filter(f_notimapd); filter(f_notpopa3d);
filter(f_notnamed); filter(f_notfirewall); destination(d_2); };

#.....
# firewallp.*                                             
-/var/log/firewall.log

filter f_16 {
        level(warning) and match("firewallp=");
};

destination d_12 {
        file("/var/log/firewall.log" create_dirs(yes));
};

log { source(local); filter(f_16); destination(d_12); };

#.....

Do you know where could be an error? It is a production server so I
can't debug syslog-ng on this machine (sorry).
NOTE: the only truncated lines I can find are iptables (AFAIR they are
logged by /proc/kmesg) entries. All other lines are complete. And it is
probably a critical error in security.

PS: simple statistics line from syslog-ng:
Nov 30 00:00:06 denise syslog-ng[32682]: Log statistics;
dropped='pipe(/dev/tty12)=0', processed='center(queued)=758289',
processed='center(received)=369020',
processed='destination(d_maillogimapd)=4245',
processed='destination(d_5)=1', processed='destination(d_4)=0',
processed='destination(d_3)=14259', processed='destination(d_2)=14259',
processed='destination(d_13)=0', processed='destination(d_1)=6000',
processed='destination(d_12)=6000',
processed='destination(d_11)=369020', processed='destination(d_10)=36',
processed='destination(d_8)=0',
processed='destination(d_maillogpopa3d)=103224',
processed='destination(d_7)=241245', processed='destination(d_6)=0',
processed='source(local)=369020'
I think you see that it could be a little hard to debug (with so many
messages parsed by syslog-ng) ;)

Jacek



More information about the syslog-ng mailing list