[syslog-ng] Fwd: Re: Question

Balazs Scheidler bazsi at balabit.hu
Sat Jun 4 13:20:52 CEST 2011 

Hi,

Thanks for bringing this up. The description was certainly familiar and
that was the reason. 3.3 OSE is the first affected branch, older code
didn't use the hand-coded number parsing functions.

This is the commit-id of the new patch:

commit 4df06a3c8d7c37b06db41be4695522c73ec925a5
Author: Balazs Scheidler <bazsi at balabit.hu>
Date:   Sun Apr 10 10:28:31 2011 +0200

    Fixed BSD timestamp parsing when the day is padded with spaces in front (fixes: D-03717)
    
    Although the bugreport contained info that it'd be 'no-hostname' related, in
    reality it isn't. The unit tests couldn't cover this case as the
    timestamp that can typically contain such fields do not contain year information.
    
    This patch fills this whole in the unit test and also fixes the
    problem itself. It was caused by one of the performance improvement
    patches, but doesn't affect PE 4.0 or older OSE versions.
    
    Signed-off-by: Balazs Scheidler <bazsi at balabit.hu>


On Thu, 2011-06-02 at 12:41 +0200, Gergely Nagy wrote:
> Copying this to the syslog-ng@ list aswell, as this might be interesting
> to others aswell, and the patch should be picked up for 3.3 too.
> 
> > On 2011-06-01 17:20, Costa Farber wrote:
> >> Hello.
> >>
> >> I use syslog-ng 3.3 beta. It was working up today perfect. Today I
> >> got the following result:
> >> my config
> >> */source s_network {
> >>     udp();
> >>     tcp();
> >> };
> >> destination d_local_prospero {
> >>     file("/var/log/messages_prospero"
> >> template("$ISODATE#$HOST#$MSGONLY\n") );
> >> };
> >> log {
> >>     source(s_network);
> >>     destination(d_local_prospero);
> >> };/*
> >>
> >> source message is
> >> /*Jun  1 17:50:11 ubnct lighttpd-1.5[24730]: DEBUG
> >> wix.c:send_wixfs_file:345 will send file:
> >> /var/www/static.wix.com/media/3d/44/3d4433_34a5623f12940907668b5ee9b72d23a3.jpg_600
> >> <http://static.wix.com/media/3d/44/3d4433_34a5623f12940907668b5ee9b72d23a3.jpg_600>*/
> >>
> >> result is
> >> /*2011-06-01T17:50:03+03:00#ubnct# 1 17:50:11 ubnct
> >> lighttpd-1.5[24730]: DEBUG wix.c:send_wixfs_file:345 will send file:
> >> /var/www/static.wix.com/media/3d/44/3d4433_34a5623f12940907668b5ee9b72d23a3.jpg_600
> >> <http://static.wix.com/media/3d/44/3d4433_34a5623f12940907668b5ee9b72d23a3.jpg_600>*/
> >>
> >> It seems like parser has a bug and can not pars one digit day (it
> >> has 2 spaces between month and day).
> >> I need help to clear is it bug or any ather problem.
> 
> This is a known problem, but for some reason the fix did not make it
> into 3.3 yet.
> 
> Attached is a patch that fixes the problem.
> 
> differences between files attachment
> (0001-Fixed-BSD-timestamp-parsing-when-the-day-is-padded-w.patch)
> From 72733f3b3fd0d29a58dc1f3601e0c2a4b3577747 Mon Sep 17 00:00:00 2001
> From: Balazs Scheidler <bazsi at balabit.hu>
> Date: Sun, 10 Apr 2011 10:28:31 +0200
> Subject: [PATCH] Fixed BSD timestamp parsing when the day is padded with spaces in front (fixes: D-03717)
> 
> Although the bugreport contained info that it'd be 'no-hostname' related, in
> reality it isn't. The unit tests couldn't cover this case as the
> timestamp that can typically contain such fields do not contain year information.
> 
> This patch fills this whole in the unit test and also fixes the
> problem itself. It was caused by one of the performance improvement
> patches, but doesn't affect PE 4.0 or older OSE versions.
> 
> Signed-off-by: Balazs Scheidler <bazsi at balabit.hu>
> ---
>  lib/str-format.c           |    3 +-
>  tests/unit/test_msgparse.c |   54 ++++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 56 insertions(+), 1 deletions(-)
> 
> diff --git a/lib/str-format.c b/lib/str-format.c
> index 27a292a..a033b43 100644
> --- a/lib/str-format.c
> +++ b/lib/str-format.c
> @@ -1,6 +1,7 @@
>  #include "str-format.h"
>  
>  #include <string.h>
> +#include <ctype.h>
>  
>  static gchar digits[] = "0123456789abcdef";
>  
> @@ -82,7 +83,7 @@ scan_uint32(const gchar **buf, gint *left, gint field_width, guint32 *num)
>      {
>        if ((**buf) >= '0' && (**buf) <= '9')
>          result = result * 10 + ((**buf) - '0');
> -      else
> +      else if (!isspace(**buf))
>          return FALSE;
>        (*buf)++;
>        (*left)--;
> diff --git a/tests/unit/test_msgparse.c b/tests/unit/test_msgparse.c
> index 3a60175..069cc37 100644
> --- a/tests/unit/test_msgparse.c
> +++ b/tests/unit/test_msgparse.c
> @@ -59,6 +59,33 @@ check_value(gchar *msg, LogMessage *logmsg, NVHandle handle, const gchar *expect
>    TEST_ASSERT(strcmp(p, expected) == 0, "%s", p, expected);
>  }
>  
> +/* This function determines the year that syslog-ng would find out
> + * given the timestamp has no year information. Then returns the UTC
> + * representation of "January 1st 00:00:00" of that year. This is to
> + * be used for testcases that lack year information. ts_month is the 0
> + * based month in the timestamp being parsed.
> + */
> +time_t
> +get_bsd_year_utc(int ts_month)
> +{
> +  struct tm *tm;
> +  time_t t;
> +
> +  time(&t);
> +  tm = localtime(&t);
> +
> +  if (tm->tm_mon > ts_month + 1)
> +    tm->tm_year++;
> +
> +  tm->tm_hour = 0;
> +  tm->tm_min = 0;
> +  tm->tm_sec = 0;
> +  tm->tm_mday = 1;
> +  tm->tm_mon = 0;
> +  tm->tm_isdst = -1;
> +  return mktime(tm);
> +}
> +
>  int
>  testcase(gchar *msg,
>           gint parse_flags,
> @@ -182,6 +209,33 @@ main(int argc G_GNUC_UNUSED, char *argv[] G_GNUC_UNUSED)
>             NULL, "2499", NULL, NULL
>             );
>  
> +  testcase("<15>Jan  1 01:00:00 bzorp openvpn[2499]: PTHREAD support initialized", LP_EXPECT_HOSTNAME, NULL,
> +           15, 			// pri
> +           get_bsd_year_utc(0) + 3600, 0, 3600,		// timestamp (sec/usec/zone)
> +           "bzorp",		// host
> +           "openvpn",		// openvpn
> +           "PTHREAD support initialized", // msg
> +           NULL, "2499", NULL, NULL
> +           );
> +
> +  testcase("<15>Jan 10 01:00:00 bzorp openvpn[2499]: PTHREAD support initialized", LP_EXPECT_HOSTNAME, NULL,
> +           15, 			// pri
> +           get_bsd_year_utc(0) + 3600 + 9 * 24 * 3600, 0, 3600,		// timestamp (sec/usec/zone)
> +           "bzorp",		// host
> +           "openvpn",		// openvpn
> +           "PTHREAD support initialized", // msg
> +           NULL, "2499", NULL, NULL
> +           );
> +
> +  testcase("<13>Jan  1 14:40:51 alma korte: message", 0, NULL,
> +	   13,
> +	   get_bsd_year_utc(0) + 60 * 60 * 14 + 40 * 60 + 51, 0, 3600,
> +	   "",
> +	   "alma",
> +	   "korte: message",
> +	   NULL, NULL, NULL, NULL
> +	   );
> +
>    testcase("<7>2006-11-10T10:43:21.156+02:00 bzorp openvpn[2499]: PTHREAD support initialized", LP_EXPECT_HOSTNAME, NULL,
>             7, 			// pri
>             1163148201, 156000, 7200,	// timestamp (sec/usec/zone)
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> 

-- 
Bazsi

More information about the syslog-ng mailing list