[syslog-ng] Spurious path, logfile not created; path=

Antal Nemes (anemes) Antal.Nemes at oneidentity.com
Mon Mar 2 13:53:59 UTC 2020 

  Hi,

I don't know why is this happening, but spurious path is the following:

https://github.com/syslog-ng/syslog-ng/blob/52ef5c7072c651807cc2778000b3b8fe2a8cd101/modules/affile/file-opener.c#L74
For each opened file, syslog-ng checks some malicious patterns in the file name for security reason. If an attacker could inject `../../../` like macros, that could lead to write some unwanted system critical files.

File paths containing `../` or `/..` are called spurious paths in syslog-ng.

Br,
  Antal
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Pal, Laszlo <vlad at vlad.hu>
Sent: Monday, March 2, 2020 10:42
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] Spurious path, logfile not created; path=

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hi,

For one of my hosts, I can see lots of these messages

Spurious path, logfile not created; path=

What does it mean exactly? I'm creating files with this macro

file("/var/log/netlog/unix/${HOST}/${YEAR}/${MONTH}/${HOST}-${YEAR}${MONTH}${DAY}.log"

and even for this host, I have all the logs regardless of this message

I also have messages for the same host like this
Resource temporarily unavailable (11)

Here is some more details may help to find out the reasons behind this
- issue started 9th February (I have a total of 160K entries like this)
- the filename/path was incorrect during the whole event
2020/02/servername-20200210.log
- on 29th the server gone south by consuming lots of CPU and disappeared from the network, console was frozen, so we had to reset the vm

The host running an old syslog-ng PE
(syslog-ng-premium-edition 4 LTS (4.0.5a)
Installer-Version: 4.0.5a
Revision: ssh+git://ganesa@git.balabit//var/scm/git/syslog-ng/syslog-ng-pe--mainline--4.0#master#457ec2f494a46d62ecf8cd938f12f02cd0ae9e63)
on RHEL5

Log sources are simple plain text files contains tomcat and other web server logs

I have a twin-host with the exact same config and log sources, but I never seen messages like this from that one

Do you have any idea? To me it looks very mysterious

Thanks
Laszlo



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200302/a27ccfc0/attachment.html>

More information about the syslog-ng mailing list