[syslog-ng] Spurious path, logfile not created; path=

Matus UHLAR - fantomas uhlar at fantomas.sk
Mon Mar 2 14:39:29 UTC 2020


On 02.03.20 13:53, Antal Nemes (anemes) wrote:
>I don't know why is this happening, but spurious path is the following:
>
>https://github.com/syslog-ng/syslog-ng/blob/52ef5c7072c651807cc2778000b3b8fe2a8cd101/modules/affile/file-opener.c#L74
>For each opened file, syslog-ng checks some malicious patterns in the file name for security reason. If an attacker could inject `../../../` like macros, that could lead to write some unwanted system critical files.
>
>File paths containing `../` or `/..` are called spurious paths in syslog-ng.

that could explain is. macros in this line:

>file("/var/log/netlog/unix/${HOST}/${YEAR}/${MONTH}/${HOST}-${YEAR}${MONTH}${DAY}.log"

are the dates and times gotten from the message itself, so an attacker can
send message containing suprious characters instead of real date.

if you want to use date/time wen the message was received, use R_* macros
(R_YEAR), or if you want to use date the messahe was processed/written, use
D_* macros (D_YEAR).

>________________________________
>From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Pal, Laszlo <vlad at vlad.hu>
>Sent: Monday, March 2, 2020 10:42
>To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
>Subject: [syslog-ng] Spurious path, logfile not created; path=
>
>CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
>
>Hi,
>
>For one of my hosts, I can see lots of these messages
>
>Spurious path, logfile not created; path=
>
>What does it mean exactly? I'm creating files with this macro
>
>file("/var/log/netlog/unix/${HOST}/${YEAR}/${MONTH}/${HOST}-${YEAR}${MONTH}${DAY}.log"
>
>and even for this host, I have all the logs regardless of this message
>
>I also have messages for the same host like this
>Resource temporarily unavailable (11)
>
>Here is some more details may help to find out the reasons behind this
>- issue started 9th February (I have a total of 160K entries like this)
>- the filename/path was incorrect during the whole event
>2020/02/servername-20200210.log
>- on 29th the server gone south by consuming lots of CPU and disappeared from the network, console was frozen, so we had to reset the vm
>
>The host running an old syslog-ng PE
>(syslog-ng-premium-edition 4 LTS (4.0.5a)
>Installer-Version: 4.0.5a
>Revision: ssh+git://ganesa@git.balabit//var/scm/git/syslog-ng/syslog-ng-pe--mainline--4.0#master#457ec2f494a46d62ecf8cd938f12f02cd0ae9e63)
>on RHEL5
>
>Log sources are simple plain text files contains tomcat and other web server logs
>
>I have a twin-host with the exact same config and log sources, but I never seen messages like this from that one
>
>Do you have any idea? To me it looks very mysterious

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !


More information about the syslog-ng mailing list