[syslog-ng] problems with Cisco WiFi controller syslog messages

Poley, Jason jpoley at co.santa-barbara.ca.us
Fri Jul 20 18:32:34 CEST 2007 

Well, I seem to be doing something wrong with patch...

I created a patch file from the enclosed update, starting from the 'diff'
line down to the end (no including your sig of course).  I then run patch
and see the following output...

-------------<paste>-----------
[jpoley at ITS-syslog src]$ patch -p2 -b -i patchfile 
patching file logmsg.c
Hunk #1 succeeded at 229 with fuzz 1.
missing header for unified diff at line 56 of patch
can't find file to patch at input line 56
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|     {
|       /* RFC 3164 timestamp, expected format: MMM DD HH:MM:SS ... */
|       struct tm tm, *nowtm;
|+      glong usec = 0;
| 
|       /* Just read the buffer data into a textual
|          datestamp. */
|+         
| 
|       g_string_assign_len(&self->date, src, 15);
|       src += 15;
|       left -= 15;
| 
|+      if (left > 0 && src[0] == '.')
|+        {
|+          gulong frac = 0;
|+          gint div = 1;
|+          gint i = 1;
|+          
|+          /* gee, funny Cisco extension, BSD timestamp with fraction of 
|+ second support */
|+
|+          while (i < left && div < 10e6 && isdigit(src[i]))
|+            {
|+              frac = 10 * frac + (src[i]) - '0';
|+              div = div * 10;
|+              i++;
|+            }
|+          usec = frac * (1000000 / div);
|+          left -= i;
|+          src += i;
|+        }
|+
|       /* And also make struct time timestamp for the msg */
| 
|       nowtm = localtime(&now);
--------------------------
File to patch: logmsg.c
patching file logmsg.c
Hunk #1 succeeded at 313 with fuzz 1 (offset -26 lines).
------------<end paste>------------

I then ran diff to see if it worked correctly and it seems that only one
line changed?

--------<paste>---------
[jpoley at ITS-syslog src]$ diff logmsg.c logmsg.c.orig
295c295
<       self->stamp.time.tv_usec = usec;
---
>       self->stamp.time.tv_usec = 0;
[jpoley at ITS-syslog src]$
--------<end paste>---------

What am I doing wrong?

JDP
---------------------------------
Jason D Poley
Network Tech
GS ITS Network 
County of Santa Barbara
805.568.2680
jpoley at co.santa-barbara.ca.us 


-----Original Message-----
From: Balazs Scheidler [mailto:bazsi at balabit.hu] 
Sent: Thursday, July 19, 2007 2:25 PM
To: Syslog-ng users' and developers' mailing list
Cc: Poley, Jason
Subject: RE: [syslog-ng] problems with Cisco WiFi controller syslog messages

On Thu, 2007-07-19 at 11:09 -0700, Poley, Jason wrote:
> Bazsi,
> 
> So I finally got around to the upgrade this morning (now on 2.0.4), only
one
> month later...
> 
> Is it possible you can help with these obviously non-standard Cisco syslog
> timestamps?

The attached patch should do it. Please report back if it indeed worked,
I could only test it with a small unit test program. While doing this
I've also found a minor issue with fraction support on ISO timestamps,
an integer overflow could have caused an invalid value, if second
fraction was specified with more than 4 digits, because the formula:

usec = frac * 1000000 / div

could overflow, whenever frac is over 4294 (2^32/10e6). After using
proper parentheses, the issue is gone.

diff --git a/src/logmsg.c b/src/logmsg.c
index 4ea6fb0..2ab8ae1 100644
--- a/src/logmsg.c
+++ b/src/logmsg.c
@@ -229,13 +229,13 @@ log_msg_parse(LogMessage *self, gchar *data, gint
length, guint flags, regex_t *
           /* process second fractions */
           
           p++;
-          while (isdigit(*p))
+          while (div < 10e6 && isdigit(*p))
             {
               frac = 10 * frac + (*p) - '0';
               div = div * 10;
               p++;
             }
-          self->stamp.time.tv_usec = frac * 1000000 / div;
+          self->stamp.time.tv_usec = frac * (1000000 / div);
         }
       if (p && (*p == '+' || *p == '-') && strlen(p) == 6 && 
           isdigit(*(p+1)) && isdigit(*(p+2)) && *(p+3) == ':' &&
isdigit(*(p+4)) && isdigit(*(p+5)))
@@ -298,14 +298,35 @@ log_msg_parse(LogMessage *self, gchar *data, gint
length, guint flags, regex_t *
     {
       /* RFC 3164 timestamp, expected format: MMM DD HH:MM:SS ... */
       struct tm tm, *nowtm;
+      glong usec = 0;
 
       /* Just read the buffer data into a textual
          datestamp. */
+         
 
       g_string_assign_len(&self->date, src, 15);
       src += 15;
       left -= 15;
 
+      if (left > 0 && src[0] == '.')
+        {
+          gulong frac = 0;
+          gint div = 1;
+          gint i = 1;
+          
+          /* gee, funny Cisco extension, BSD timestamp with fraction of
second support */
+
+          while (i < left && div < 10e6 && isdigit(src[i]))
+            {
+              frac = 10 * frac + (src[i]) - '0';
+              div = div * 10;
+              i++;
+            }
+          usec = frac * (1000000 / div);
+          left -= i;
+          src += i;
+        }
+
       /* And also make struct time timestamp for the msg */
 
       nowtm = localtime(&now);
@@ -318,7 +339,7 @@ log_msg_parse(LogMessage *self, gchar *data, gint
length, guint flags, regex_t *
         
       /* NOTE: no timezone information in the message, assume it is local
time */
       self->stamp.time.tv_sec = mktime(&tm);
-      self->stamp.time.tv_usec = 0;
+      self->stamp.time.tv_usec = usec;
       self->stamp.zone_offset =
get_local_timezone_ofs(self->stamp.time.tv_sec); /* assume local timezone */
     }
     

-- 
Bazsi


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7998 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20070720/d85a8122/smime.bin

More information about the syslog-ng mailing list