[syslog-ng] Space in tag causes parsing problems - syslog-ng 2.0.8

Balazs Scheidler bazsi at balabit.hu
Thu May 21 08:51:34 CEST 2009 

On Mon, 2009-05-18 at 16:13 +0000, Fegan, Joe wrote:
> And btw strace of the syslog-ng process shows that the message it receives is the following:
> 
> read(15, "<13>May 18 16:44:04 hello world: second message\0", 8192) = 48

Since the syslog message format is ambigous, it is not possible to
differentiate between the format:

$DATE $HOST $MSG

and 

$DATE $MSG

(e.g. the hostname is optional). syslog-ng assumes that the first word
is the hostname, even if the message is received from local transport
(e.g. unix domain socket or pipe).

The solution is to use bad_hostnames() regexp to match against the names
that are sure to be wrong.

>  
> 
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Fegan, Joe
> Sent: 18 May 2009 17:00
> To: syslog-ng at lists.balabit.hu
> Subject: [syslog-ng] Space in tag causes parsing problems - syslog-ng 2.0.8
> 
> Syslog-ng 2.0.8
> 
> I found that logging a message with a space in the tag causes the first word of the tag to be used as the hostname. This does not happen with the standard syslogd.
> 
> Best illustrated by an example:
>  
> [root at kudos8 ~]# logger -t "hello" "here is a message"
> [root at kudos8 ~]# tail -4 /var/log/messages
> May 18 16:43:53 kudos8 info snmpd[5296]: Connection from UDP: [127.0.0.1]:41757
> May 18 16:43:53 kudos8 info snmpd[5296]: Connection from UDP: [127.0.0.1]:44965
> May 18 16:43:53 kudos8 info snmpd[5296]: Received SNMP packet(s) from UDP: [127.0.0.1]:44965
> May 18 16:43:55 kudos8 notice hello: this is a message
> [root at kudos8 ~]# 
> 
> This is expected behaviour.
> Now see what happens when I put a space in the tag:
> 
> [root at kudos8 ~]# logger -t "hello world" "second message"
> [root at kudos8 ~]# tail -5 /var/log/messages
> May 18 16:43:53 kudos8 info snmpd[5296]: Connection from UDP: [127.0.0.1]:41757
> May 18 16:43:53 kudos8 info snmpd[5296]: Connection from UDP: [127.0.0.1]:44965
> May 18 16:43:53 kudos8 info snmpd[5296]: Received SNMP packet(s) from UDP: [127.0.0.1]:44965
> May 18 16:43:55 kudos8 notice hello: this is a message
> May 18 16:44:04 hello notice world: second message
> [root at kudos8 ~]# 
> 
> See that "hello" was incorrectly used as the hostname.
> This is 100% reproducible.
> 
> I stopped syslog-ng and started the standard syslogd instead.
> Standard syslogd does not have this problem:
> 
> [root at kudos8 ~]# logger -t "hello" "here is a message"
> [root at kudos8 ~]# logger -t "hello world" "second message"
> [root at kudos8 ~]# service syslog-ng stop
> Stopping syslog-ng:                                        [  OK  ]
> [root at kudos8 ~]# service syslog start
> Starting system logger:                                    [  OK  ]
> Starting kernel logger:                                    [  OK  ]
> [root at kudos8 ~]# logger -t "hello world" "third message"
> [root at kudos8 ~]# tail -10 /var/log/messages
> May 18 16:54:25 kudos8 info snmpd[5296]: Connection from UDP: [127.0.0.1]:33587
> May 18 16:54:25 kudos8 info snmpd[5296]: Connection from UDP: [127.0.0.1]:46177
> May 18 16:54:25 kudos8 info snmpd[5296]: Received SNMP packet(s) from UDP: [127.0.0.1]:46177
> May 18 16:54:30 kudos8 notice hello: here is a message
> May 18 16:54:31 hello notice world: second message
> May 18 16:54:34 kudos8 info syslog-ng[8737]: Termination requested via signal, terminating;
> May 18 16:54:34 kudos8 notice syslog-ng[8737]: syslog-ng shutting down; version=\'2.0.8\'
> May 18 16:54:38 kudos8 syslogd 1.4.1: restart.
> May 18 16:54:38 kudos8 kernel: klogd 1.4.1, log source = /proc/kmsg started.
> May 18 16:54:49 kudos8 hello world: third message
> [root at kudos8 ~]# 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
> 
-- 
Bazsi

More information about the syslog-ng mailing list