[syslog-ng] Bug: Numeric digits stripped from source hostname and time mangled.

Christopher Cashell ChristopherCashell at solutionary.com
Wed Apr 9 17:58:56 CEST 2008 

[Apologies if this has been reported before, but I couldn't find any
mention of it.  Also, my apologies if this shows up twice.  I sent it 
yesterday, but after 24 hours, it hasn't hit the list yet, so I'm 
resending.]

It appears that Syslog-NG 2.0.x (tested with 2.0.9) will mangle 
originating source hostname when it begins numerically hostnames, and 
this also causes errors with date/time handling.

Verified with Syslog-NG 2.0.9 on Red Hat Enterprise Linux 3

To duplicate and display the bug (destination(d_log_expanded) and
template added to more easily display what's going on):


[root at logbox syslog-ng]# cat syslog-ng.conf
options {
    sync(0);
    chain_hostnames(yes); };

source s_net      { tcp(); };
destination d_log { file("/tmp/test.log") ; };
destination d_log_expanded { file("/tmp/test-long.log" template("Date:
$DATE, Sender Unixtime: $S_UNIXTIME, Receiver Unixtime: $R_UNIXTIME,
Host: $FULLHOST Message: $MSGONLY\n") template_escape(no)) ; };

log { source(s_net); destination(d_log); };
log { source(s_net); destination(d_log_expanded); };


[root at logbox tmp]# cat /tmp/problem-log
<0d>Mar 31 04:41:57 1234-xxxx/192.168.1.1 TestLog: This is a test log
that includes the relevant bits of the original log, before Syslog-NG
mangles them: "Mar 31 04:41:57 1234-xxxx/192.168.1.1 TestLog: This is a
test log. . ."


[root at logbox tmp]# cat < /tmp/problem-log | nc localhost 514
[root at logbox tmp]# tail -1 *.log
==> test.log <==
Dec 31 17:59:59 -xxxx/192.168.1.1/localhost TestLog: This is a test log
that includes the relevant bits of the original log, before Syslog-NG
mangles them: "Mar 31 04:41:57 1234-xxxx/192.168.1.1 TestLog: This is a
test log. . ."

==> test-long.log <==
Date: Dec 31 17:59:59, Sender Unixtime: -1, Receiver Unixtime:
1207676046, Host: -xxxx/192.168.1.1/localhost Message: This is a test
log that includes the relevant bits of the original log, before
Syslog-NG mangles them: "Mar 31 04:41:57 1234-xxxx/192.168.1.1 TestLog:
This is a test log. . ."


You can see from the above that the '1234' is being stripped from the
originating hostname '1234-xxxx', and the sender timestamp is then being
mangled to -1.  It appears to only pull the first 4 numbers from the
source hostname (assuming there are more numbers, such as
'123456-xxxx'), and it only happens when the hostname starts
numerically.  If you add a non-numeric character to the beginning part
of the hostname, it is handled correctly (such as 'z1234-xxxx' or
'12z34-xxxx').


-- 
Christopher Cashell
____________________________________

Christopher Cashell
Systems & Network Security Engineer

phone: 402.361.3065   fax: 402.361.3165
e-mail:  christophercashell at solutionary.com

Solutionary, Inc.
www.Solutionary.com

Making Security Manageable
_____________________________________

Confidentiality Notice
The content of this communication, along with any attachments, is
covered by federal and state law governing electronic communications and
may contain confidential and legally privileged information.  If the
reader of this message is not the intended recipient, you are hereby
notified that any dissemination, distribution, use or copying of the
information contained herein is strictly prohibited.  If you have
received this communication in error, please immediately contact us by
telephone at (402) 361-3000 or e-mail security at solutionary.com.  Thank you.

Copyright 2000-2007, Solutionary, Inc. All rights reserved.
ActiveGuard, eV3, Solutionary and the Solutionary logo are registered
marks of Solutionary, Inc. SecurCompass is a service mark of
Solutionary, Inc.

More information about the syslog-ng mailing list