[syslog-ng] Problems with rewrite set and template functions...

Johnson, Chris (HP TippingPoint Roseville) chris.johnson3 at hp.com
Sat Jan 26 00:43:50 CET 2013 

Hi all,
I've come across a problem when using the rewrite set function with a template function.
I've created a custom template function 'audit-TPTI-to-Email' and use it in a rewrite:
rewrite r_audit_EMail {
        set("$(audit-TPTI-to-EMail ${MSG})", value("MSG"));
};

Then call it:
filter f_audit_pgm{program("AUDIT-*" type("glob"));};
log {
        source(s_local);
        filter(f_audit_pgm);
        log {
                destination(d_logID_02);
        };
        log {
                rewrite(r_audit_EMail);
                rewrite(r_quote_newlines);
                destination(d_logID_13);
        };
        flags(final);
};
Everything work fine.
Then if I add another call to rewrite (i.e. add a second email destination):
filter f_audit_pgm{program("AUDIT-*" type("glob"));};
log {
        source(s_local);
        filter(f_audit_pgm);
        log {
                destination(d_logID_02);
        };
        log {
                rewrite(r_audit_EMail);
                rewrite(r_quote_newlines);
                destination(d_logID_13);
        };
        log {
                rewrite(r_audit_EMail);
                rewrite(r_quote_newlines);
                destination(d_logID_14);
        };
        flags(final);
};
Syslog-ng crashes with a segfault.
I've narrowed in down to any template function (just to make sure *I* wasn't screwing something up in my custom function):
rewrite r_echo { set("$(echo $PROGRAM)" value("PROGRAM")); };
destination d_test1{ file("/var/log/test1.log"); };
destination d_test2{ file("/var/log/test2.log"); };

log {
        source(s_local);
        log {
                rewrite(r_echo);
                destination(d_test1);
        };
        log {
                rewrite(r_echo);
                destination(d_test2);
        };
};

The backtrace:
Backtrace:
/usr/local/lib/libsyslog-ng-3.3.3.so(plugin_find+0x39)[0x7f3eb76ff019]
/usr/local/lib/libsyslog-ng-3.3.3.so(log_template_compile+0x84f)[0x7f3eb7703baf]
/usr/local/lib/libsyslog-ng-3.3.3.so(log_rewrite_set_new+0x99)[0x7f3eb76f3349]
/usr/local/lib/libsyslog-ng-3.3.3.so[0x7f3eb76f3371]
/usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init_pipe_line+0x35d)[0x7f3eb76dfecd]
/usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init_pipe_line+0xd2)[0x7f3eb76dfc42]
/usr/local/lib/libsyslog-ng-3.3.3.so(log_center_init+0x56)[0x7f3eb76e0226]
/usr/local/lib/libsyslog-ng-3.3.3.so(cfg_init+0xb0)[0x7f3eb76e1530]
/usr/local/lib/libsyslog-ng-3.3.3.so(main_loop_init+0x11b)[0x7f3eb76f9abb]
/usr/local/sbin/syslog-ng(main+0x11f)[0x40168f]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7f3eb6240126]
/usr/local/sbin/syslog-ng[0x401379]

I threw in some debug statements:
LogRewrite *
log_rewrite_set_new(const gchar *new_value)
{
    fprintf(stderr, "%s('%s'):\n", __FUNCTION__, new_value);

Plugin *
plugin_find(GlobalConfig *cfg, gint plugin_type, const gchar *plugin_name)
{
    fprintf(stderr, "%s(%p, %d, '%s'): '\n", __FUNCTION__, cfg, plugin_type, plugin_name);

Which showed that the 'cfg' pointer is null when rewrite is called the second time:
log_rewrite_set_new('$(echo $PROGRAM)'):
plugin_find(0x60e210, 13, 'echo'): '
plugin_find:    plugin->name = 'sys-to-EMail'
plugin_find:    plugin->name = 'audit-TPTI-to-EMail'
plugin_find:    plugin->name = 'quar-TPTI-to-EMail'
plugin_find:    plugin->name = 'quar-TPTI-to-CEF'
plugin_find:    plugin->name = 'tab-to-bar'
plugin_find:    plugin->name = 'tab-to-semicolon'
plugin_find:    plugin->name = 'tab-to-comma'
plugin_find:    plugin->name = 'to-upper-case'
plugin_find:    plugin->name = 'to-lower-case'
plugin_find:    plugin->name = 'ipv4-to-int'
plugin_find:    plugin->name = 'log-session-seqnum'
plugin_find:    plugin->name = 'indent-multi-line'
plugin_find:    plugin->name = 'if'
plugin_find:    plugin->name = 'grep'
plugin_find:    plugin->name = 'echo'
plugin_find(0x60e210, 2, 'file'): '
[...]
log_rewrite_set_new('$(echo $PROGRAM)'):
plugin_find((nil), 13, 'echo'): '
*** Segmentation fault

Sooo, my questions are:
Is this expected behavior?
Has this been patched already?
Is there another way I can call a custom function to reformat the message field on a destination-by-destination basis?

Thanks,
Chris

----------------------------------------
Christopher Johnson
chris.johnson3 at hp.com<mailto:chris.johnson3 at hp.com>
HP Software - Security Product Group
(916) 785-2817
----------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130125/d5f10fcd/attachment-0001.htm

More information about the syslog-ng mailing list