[syslog-ng] Spurious path, logfile not created; path=

Mon Mar 2 15:46:14 UTC 2020

YEAR/MONTH/DAY macros never contain spurious elements, as the timestamp is
parsed by syslog-ng and these macros work from the parsed representation.
They might be invalid (if parsing fails), but are guaranteed to contain
only numbers.

The $HOST portion on the other hand is controlled by the syslog client and
can contain this sequence of characters.

It is strange that "path" in the original log message seems to be empty,
that should contain the filename that was suspicious to syslog-ng.

On Mon, Mar 2, 2020 at 3:39 PM Matus UHLAR - fantomas <uhlar at fantomas.sk>
wrote:

> On 02.03.20 13:53, Antal Nemes (anemes) wrote:
> >I don't know why is this happening, but spurious path is the following:
> >
> >
> https://github.com/syslog-ng/syslog-ng/blob/52ef5c7072c651807cc2778000b3b8fe2a8cd101/modules/affile/file-opener.c#L74
> >For each opened file, syslog-ng checks some malicious patterns in the
> file name for security reason. If an attacker could inject `../../../` like
> macros, that could lead to write some unwanted system critical files.
> >
> >File paths containing `../` or `/..` are called spurious paths in
> syslog-ng.
>
> that could explain is. macros in this line:
>
>
> >file("/var/log/netlog/unix/${HOST}/${YEAR}/${MONTH}/${HOST}-${YEAR}${MONTH}${DAY}.log"
>
> are the dates and times gotten from the message itself, so an attacker can
> send message containing suprious characters instead of real date.
>
> if you want to use date/time wen the message was received, use R_* macros
> (R_YEAR), or if you want to use date the messahe was processed/written, use
> D_* macros (D_YEAR).
>
> >________________________________
> >From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Pal,
> Laszlo <vlad at vlad.hu>
> >Sent: Monday, March 2, 2020 10:42
> >To: Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> >Subject: [syslog-ng] Spurious path, logfile not created; path=
> >
> >CAUTION: This email originated from outside of the organization. Do not
> follow guidance, click links, or open attachments unless you recognize the
> sender and know the content is safe.
> >
> >Hi,
> >
> >For one of my hosts, I can see lots of these messages
> >
> >Spurious path, logfile not created; path=
> >
> >What does it mean exactly? I'm creating files with this macro
> >
>
> >file("/var/log/netlog/unix/${HOST}/${YEAR}/${MONTH}/${HOST}-${YEAR}${MONTH}${DAY}.log"
> >
> >and even for this host, I have all the logs regardless of this message
> >
> >I also have messages for the same host like this
> >Resource temporarily unavailable (11)
> >
> >Here is some more details may help to find out the reasons behind this
> >- issue started 9th February (I have a total of 160K entries like this)
> >- the filename/path was incorrect during the whole event
> >2020/02/servername-20200210.log
> >- on 29th the server gone south by consuming lots of CPU and disappeared
> from the network, console was frozen, so we had to reset the vm
> >
> >The host running an old syslog-ng PE
> >(syslog-ng-premium-edition 4 LTS (4.0.5a)
> >Installer-Version: 4.0.5a
> >Revision: ssh+git://ganesa@git.balabit
> //var/scm/git/syslog-ng/syslog-ng-pe--mainline--4.0#master#457ec2f494a46d62ecf8cd938f12f02cd0ae9e63)
> >on RHEL5
> >
> >Log sources are simple plain text files contains tomcat and other web
> server logs
> >
> >I have a twin-host with the exact same config and log sources, but I
> never seen messages like this from that one
> >
> >Do you have any idea? To me it looks very mysterious
>
> --
> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> M$ Win's are shit, do not use it !
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>

-- 
Bazsi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200302/512b83fb/attachment-0001.html>