From rgerhards at hq.adiscon.com Wed Nov 2 09:19:39 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 2 Nov 2005 09:19:39 +0100 Subject: [rsyslog] 1.12.0 - Seg Faults Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3D29@grfint2.intern.adiscon.com> Dusty, sorry for the late reply, I actually overlooked the message :( I think I need to set up a new lab. Looks like it actually has to do with the message content. I've no indication from the code review, but obviously there must be a bug hiding ;) I am not sure if I can do the lab today as I am working on some really pressing things... Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Dusty Hall > Sent: Friday, October 28, 2005 2:54 PM > To: rsyslog at lists.adiscon.com > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > Rainer, > > First off, I really appreciate your help with this... > > I just got through trying both ideas but neither work :(. It seg > faulted in the same place. > > I tried running the daemon a little different here and it actually > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write it > to the log, > thoughts? > > /usr/sbin/rsyslogd -d -n -r 0 -l xxx.xxx.xxx.xxx (this > version has both > revisions applied) > > Calling selet, active file descriptors (max 12): 3 12 > > Successful select, descriptor count = 1, Activity on: 12 > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > Message length: 47, File descriptor: 12. > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct 28 07:48:38 > snort: GLOBAL CONFIG > Segmentation fault > > > server messages file: > ----- > Oct 28 07:48:38 snort: Writing PID "47582" to file > "/var/run//snort_fxp0.pid" > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf > Oct 28 07:48:38 snort: ,-----------[Flow > Config]---------------------- > Oct 28 07:48:38 snort: | Stats Interval: 0 > Oct 28 07:48:38 snort: | Hash Method: 2 > Oct 28 07:48:38 snort: | Memcap: 10485760 > Oct 28 07:48:38 snort: | Rows : 4099 > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) > Oct 28 07:48:38 snort: > `---------------------------------------------- > Oct 28 07:48:38 snort: HttpInspect Config: > > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> > Dusty, > > after some more testing, I am now back to thinking that the > printf() is > just a cosmetic problem. The code I was suspecting to have a bug > actually is OK. > > Anyhow, could you please replace the printf at the start of logmsg(). > The new version is: > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", > textpri(pri), flags, getRcvFrom(pMsg), msg); > > This is all on one line. Search for "logmsg:" in the code, that will > show you only the to-be-replaced line. > > I think the problem will persist after applying this patch. > > If so, I now suspect there is a problem with multithreading. It is > experimental, and that everything works well in my lab does not really > mean it will in practice. So if the bug persists, I would like you to > disable multitasking. This is easy. Just go to your Makefile and find > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run > > make clean > make > make install > > After that, rsyslogd will run in single-threading mode. Please let me > know if the error then persists, too. > > Please let me know the outcome. > > Rainer > > On Fri, 2005-10-28 at 08:46, Rainer Gerhards wrote: > > Hi Dusty, > > > > I first thought this were just a cosmetic problem with the printf. > After > > some review, I think the non-parsable hostname is really causing the > > segfault. I have to admit I am a bit puzzled this did not show up > > earlier. Anyhow, I'll see that I can do something against it today. > > > > Rainer > > > > On Fri, 2005-10-28 at 00:07, Dusty Hall wrote: > > > I'm having a problem with rsyslogd seg faulting. The daemon > (1.12.0) is > > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. > It doesn't > > > seem to catch the name from the clients leading to a seg fault. > Ideas, > > > workarounds? Any help would be greatly appreciated! > > > > > > > > > -Dusty > > > > > > > > > # /usr/sbin/rsyslogd -d -r 0 -n > > > ...... > > > -1208042912: Message from UDP inetd socket: #12, host: > xxx.xxx.xxx.xxx > > > -1208042912: Message length: 46, File descriptor: 12. > > > -1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg > Oct 27 > > > 16:15:38 snort: GLOBAL CONFIG > > > Segmentation fault > > > > > > > > > server messages file contains: > > > ---------- > > > Oct 27 16:15:39 snort: ,-----------[Flow > Config]---------------------- > > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > > Oct 27 16:15:39 snort: | Hash Method: 2 > > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > > Oct 27 16:15:39 snort: | Rows : 4099 > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > > Oct 27 16:15:39 snort: > `---------------------------------------------- > > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > > > > client messages file contains: > > > --------- > > > Oct 27 10:00:03 fred snort: ,-----------[Flow > > > Config]---------------------- > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > > Oct 27 10:00:03 fred snort: > > > `---------------------------------------------- > > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > > Oct 27 10:00:03 fred snort: Inspection Type: > STATELESS > > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > > /etc/nsm/unicode.map > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > From halljer at auburn.edu Wed Nov 2 16:17:30 2005 From: halljer at auburn.edu (Dusty Hall) Date: Wed, 02 Nov 2005 09:17:30 -0600 Subject: [rsyslog] 1.12.0 - Seg Faults In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA0E3D29@grfint2.intern.adiscon.com> References: <577465F99B41C842AAFBE9ED71E70ABA0E3D29@grfint2.intern.adiscon.com> Message-ID: <4368842E.8529.003A.0@auburn.edu> Rainer, No problem. FYI, this is also happening with OpenBSD :(. Nov 1 13:35:05 syslogd: restart Nov 1 13:35:05 /bsd: OpenBSD 3.7 (GENERIC) #312: Mon Mar 21 00:14:33 MST 2005 --- seg faults here --- Thanks, -Dusty >>> rgerhards at hq.adiscon.com 11/02/05 2:19 am >>> Dusty, sorry for the late reply, I actually overlooked the message :( I think I need to set up a new lab. Looks like it actually has to do with the message content. I've no indication from the code review, but obviously there must be a bug hiding ;) I am not sure if I can do the lab today as I am working on some really pressing things... Rainer > ----- Original Message----- > From: rsyslog- bounces at lists.adiscon.com > [mailto:rsyslog- bounces at lists.adiscon.com] On Behalf Of Dusty Hall > Sent: Friday, October 28, 2005 2:54 PM > To: rsyslog at lists.adiscon.com > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > Rainer, > > First off, I really appreciate your help with this... > > I just got through trying both ideas but neither work :(. It seg > faulted in the same place. > > I tried running the daemon a little different here and it actually > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write it > to the log, > thoughts? > > /usr/sbin/rsyslogd - d - n - r 0 - l xxx.xxx.xxx.xxx (this > version has both > revisions applied) > > Calling selet, active file descriptors (max 12): 3 12 > > Successful select, descriptor count = 1, Activity on: 12 > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > Message length: 47, File descriptor: 12. > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct 28 07:48:38 > snort: GLOBAL CONFIG > Segmentation fault > > > server messages file: > ----- > Oct 28 07:48:38 snort: Writing PID "47582" to file > "/var/run//snort_fxp0.pid" > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf > Oct 28 07:48:38 snort: ,----------- [Flow > Config]---------------------- > Oct 28 07:48:38 snort: | Stats Interval: 0 > Oct 28 07:48:38 snort: | Hash Method: 2 > Oct 28 07:48:38 snort: | Memcap: 10485760 > Oct 28 07:48:38 snort: | Rows : 4099 > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) > Oct 28 07:48:38 snort: > `---------------------------------------------- > Oct 28 07:48:38 snort: HttpInspect Config: > > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> > Dusty, > > after some more testing, I am now back to thinking that the > printf() is > just a cosmetic problem. The code I was suspecting to have a bug > actually is OK. > > Anyhow, could you please replace the printf at the start of logmsg(). > The new version is: > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", > textpri(pri), flags, getRcvFrom(pMsg), msg); > > This is all on one line. Search for "logmsg:" in the code, that will > show you only the to- be- replaced line. > > I think the problem will persist after applying this patch. > > If so, I now suspect there is a problem with multithreading. It is > experimental, and that everything works well in my lab does not really > mean it will in practice. So if the bug persists, I would like you to > disable multitasking. This is easy. Just go to your Makefile and find > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run > > make clean > make > make install > > After that, rsyslogd will run in single- threading mode. Please let me > know if the error then persists, too. > > Please let me know the outcome. > > Rainer > > On Fri, 2005- 10- 28 at 08:46, Rainer Gerhards wrote: > > Hi Dusty, > > > > I first thought this were just a cosmetic problem with the printf. > After > > some review, I think the non- parsable hostname is really causing the > > segfault. I have to admit I am a bit puzzled this did not show up > > earlier. Anyhow, I'll see that I can do something against it today. > > > > Rainer > > > > On Fri, 2005- 10- 28 at 00:07, Dusty Hall wrote: > > > I'm having a problem with rsyslogd seg faulting. The daemon > (1.12.0) is > > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. > It doesn't > > > seem to catch the name from the clients leading to a seg fault. > Ideas, > > > workarounds? Any help would be greatly appreciated! > > > > > > > > > - Dusty > > > > > > > > > # /usr/sbin/rsyslogd - d - r 0 - n > > > ...... > > > - 1208042912: Message from UDP inetd socket: #12, host: > xxx.xxx.xxx.xxx > > > - 1208042912: Message length: 46, File descriptor: 12. > > > - 1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg > Oct 27 > > > 16:15:38 snort: GLOBAL CONFIG > > > Segmentation fault > > > > > > > > > server messages file contains: > > > ---------- > > > Oct 27 16:15:39 snort: ,----------- [Flow > Config]---------------------- > > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > > Oct 27 16:15:39 snort: | Hash Method: 2 > > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > > Oct 27 16:15:39 snort: | Rows : 4099 > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > > Oct 27 16:15:39 snort: > `---------------------------------------------- > > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > > > > client messages file contains: > > > --------- > > > Oct 27 10:00:03 fred snort: ,----------- [Flow > > > Config]---------------------- > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > > Oct 27 10:00:03 fred snort: > > > `---------------------------------------------- > > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > > Oct 27 10:00:03 fred snort: Inspection Type: > STATELESS > > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > > /etc/nsm/unicode.map > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog From rgerhards at hq.adiscon.com Fri Nov 4 17:00:56 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 04 Nov 2005 17:00:56 +0100 Subject: [rsyslog] 1.12.0 - Seg Faults In-Reply-To: <4361D92C0200003A0000098B@groupwise1.duc.auburn.edu> References: <4361D92C0200003A0000098B@groupwise1.duc.auburn.edu> Message-ID: <1131120055.2186.66.camel@rh9lt.intern.adiscon.com> Dusty, this one via the list, because it is of potential interest for others, too. Finally, I found the bug. I have to admit I always thought into the wrong direction. Now that I got that straight, it was actually easy to spot. The actual cause is that there is a bug in the syslog TAG assignment function. To fix this, search for MsgSetTag in syslogd.c. Replace it with this code: static void MsgAssignTAG(struct msg *pMsg, char *pBuf) { assert(pMsg != NULL); pMsg->iLenTAG = (pBuf == NULL) ? 0 : strlen(pBuf); pMsg->pszTAG = pBuf; } That will fix the abort. HOWEVER... the root cause (as you rightly said ;)) is that the BSD messages do not contain a host name. rsyslogd parses according to RFC 3164, where a hostname is required. That RFC is no standard, so it is OK to send without hostname. The bad news is that there is nothing inside the message that you can use to detect if there is a hostname present or not. The only solution I can think of is to have the ability to configure custom parsers based on e.g. the message sender. This is something that rsyslogd currently does not do. So for the time being, the BSD syslog messages will have the TAG in the HOSTNAME field. In many cases, you can probably live with that, especially if you custom-format the templates and apply them on a per-sender basis. The other alternative is to install rsyslogd on the senders, too, because that will obviously relieve you of this issue. So, I have mixed news ;) I hope it is still useful for you. Rainer On Fri, 2005-10-28 at 14:54, Dusty Hall wrote: > Rainer, > > First off, I really appreciate your help with this... > > I just got through trying both ideas but neither work :(. It seg > faulted in the same place. > > I tried running the daemon a little different here and it actually > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write it to the > log, > thoughts? > > /usr/sbin/rsyslogd -d -n -r 0 -l xxx.xxx.xxx.xxx (this version has > both > revisions applied) > > Calling selet, active file descriptors (max 12): 3 12 > > Successful select, descriptor count = 1, Activity on: 12 > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > Message length: 47, File descriptor: 12. > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct 28 07:48:38 > snort: GLOBAL CONFIG > Segmentation fault > > > server messages file: > ----- > Oct 28 07:48:38 snort: Writing PID "47582" to file > "/var/run//snort_fxp0.pid" > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf > Oct 28 07:48:38 snort: ,-----------[Flow Config]---------------------- > Oct 28 07:48:38 snort: | Stats Interval: 0 > Oct 28 07:48:38 snort: | Hash Method: 2 > Oct 28 07:48:38 snort: | Memcap: 10485760 > Oct 28 07:48:38 snort: | Rows : 4099 > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) > Oct 28 07:48:38 snort: `---------------------------------------------- > Oct 28 07:48:38 snort: HttpInspect Config: > > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> > Dusty, > > after some more testing, I am now back to thinking that the printf() > is > just a cosmetic problem. The code I was suspecting to have a bug > actually is OK. > > Anyhow, could you please replace the printf at the start of logmsg(). > The new version is: > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", > textpri(pri), flags, getRcvFrom(pMsg), msg); > > This is all on one line. Search for "logmsg:" in the code, that will > show you only the to-be-replaced line. > > I think the problem will persist after applying this patch. > > If so, I now suspect there is a problem with multithreading. It is > experimental, and that everything works well in my lab does not really > mean it will in practice. So if the bug persists, I would like you to > disable multitasking. This is easy. Just go to your Makefile and find > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run > > make clean > make > make install > > After that, rsyslogd will run in single-threading mode. Please let me > know if the error then persists, too. > > Please let me know the outcome. > > Rainer > > On Fri, 2005-10-28 at 08:46, Rainer Gerhards wrote: > > Hi Dusty, > > > > I first thought this were just a cosmetic problem with the printf. > After > > some review, I think the non-parsable hostname is really causing the > > segfault. I have to admit I am a bit puzzled this did not show up > > earlier. Anyhow, I'll see that I can do something against it today. > > > > Rainer > > > > On Fri, 2005-10-28 at 00:07, Dusty Hall wrote: > > > I'm having a problem with rsyslogd seg faulting. The daemon > (1.12.0) is > > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It > doesn't > > > seem to catch the name from the clients leading to a seg fault. > Ideas, > > > workarounds? Any help would be greatly appreciated! > > > > > > > > > -Dusty > > > > > > > > > # /usr/sbin/rsyslogd -d -r 0 -n > > > ...... > > > -1208042912: Message from UDP inetd socket: #12, host: > xxx.xxx.xxx.xxx > > > -1208042912: Message length: 46, File descriptor: 12. > > > -1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg > Oct 27 > > > 16:15:38 snort: GLOBAL CONFIG > > > Segmentation fault > > > > > > > > > server messages file contains: > > > ---------- > > > Oct 27 16:15:39 snort: ,-----------[Flow > Config]---------------------- > > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > > Oct 27 16:15:39 snort: | Hash Method: 2 > > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > > Oct 27 16:15:39 snort: | Rows : 4099 > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > > Oct 27 16:15:39 snort: > `---------------------------------------------- > > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > > > > client messages file contains: > > > --------- > > > Oct 27 10:00:03 fred snort: ,-----------[Flow > > > Config]---------------------- > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > > Oct 27 10:00:03 fred snort: > > > `---------------------------------------------- > > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > > Oct 27 10:00:03 fred snort: Inspection Type: > STATELESS > > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > > /etc/nsm/unicode.map > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > > From halljer at auburn.edu Wed Nov 9 17:53:24 2005 From: halljer at auburn.edu (Dusty Hall) Date: Wed, 09 Nov 2005 10:53:24 -0600 Subject: [rsyslog] 1.12.0 - Seg Faults In-Reply-To: <436B8DA5.8529.003A.0@auburn.edu> References: <4361D92C0200003A0000098B@groupwise1.duc.auburn.edu> <1131120055.2186.66.camel@rh9lt.intern.adiscon.com> <436B8DA5.8529.003A.0@auburn.edu> Message-ID: <4371D529.8529.003A.0@auburn.edu> Rainer, Thanks for the information. Do you know of any syslog daemons that follow the correct RFC and are in the FreeBSD ports tree? If not, I'm going the route of installing rsyslogd on the clients :). Thanks again! -Dusty >>> rgerhards at hq.adiscon.com 11/04/05 10:00 am >>> Dusty, this one via the list, because it is of potential interest for others, too. Finally, I found the bug. I have to admit I always thought into the wrong direction. Now that I got that straight, it was actually easy to spot. The actual cause is that there is a bug in the syslog TAG assignment function. To fix this, search for MsgSetTag in syslogd.c. Replace it with this code: static void MsgAssignTAG(struct msg *pMsg, char *pBuf) { assert(pMsg != NULL); pMsg- >iLenTAG = (pBuf == NULL) ? 0 : strlen(pBuf); pMsg- >pszTAG = pBuf; } That will fix the abort. HOWEVER... the root cause (as you rightly said ;)) is that the BSD messages do not contain a host name. rsyslogd parses according to RFC 3164, where a hostname is required. That RFC is no standard, so it is OK to send without hostname. The bad news is that there is nothing inside the message that you can use to detect if there is a hostname present or not. The only solution I can think of is to have the ability to configure custom parsers based on e.g. the message sender. This is something that rsyslogd currently does not do. So for the time being, the BSD syslog messages will have the TAG in the HOSTNAME field. In many cases, you can probably live with that, especially if you custom- format the templates and apply them on a per- sender basis. The other alternative is to install rsyslogd on the senders, too, because that will obviously relieve you of this issue. So, I have mixed news ;) I hope it is still useful for you. Rainer On Fri, 2005- 10- 28 at 14:54, Dusty Hall wrote: > Rainer, > > First off, I really appreciate your help with this... > > I just got through trying both ideas but neither work :(. It seg > faulted in the same place. > > I tried running the daemon a little different here and it actually > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write it to the > log, > thoughts? > > /usr/sbin/rsyslogd - d - n - r 0 - l xxx.xxx.xxx.xxx (this version has > both > revisions applied) > > Calling selet, active file descriptors (max 12): 3 12 > > Successful select, descriptor count = 1, Activity on: 12 > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > Message length: 47, File descriptor: 12. > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct 28 07:48:38 > snort: GLOBAL CONFIG > Segmentation fault > > > server messages file: > ----- > Oct 28 07:48:38 snort: Writing PID "47582" to file > "/var/run//snort_fxp0.pid" > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf > Oct 28 07:48:38 snort: ,----------- [Flow Config]---------------------- > Oct 28 07:48:38 snort: | Stats Interval: 0 > Oct 28 07:48:38 snort: | Hash Method: 2 > Oct 28 07:48:38 snort: | Memcap: 10485760 > Oct 28 07:48:38 snort: | Rows : 4099 > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) > Oct 28 07:48:38 snort: `---------------------------------------------- > Oct 28 07:48:38 snort: HttpInspect Config: > > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> > Dusty, > > after some more testing, I am now back to thinking that the printf() > is > just a cosmetic problem. The code I was suspecting to have a bug > actually is OK. > > Anyhow, could you please replace the printf at the start of logmsg(). > The new version is: > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", > textpri(pri), flags, getRcvFrom(pMsg), msg); > > This is all on one line. Search for "logmsg:" in the code, that will > show you only the to- be- replaced line. > > I think the problem will persist after applying this patch. > > If so, I now suspect there is a problem with multithreading. It is > experimental, and that everything works well in my lab does not really > mean it will in practice. So if the bug persists, I would like you to > disable multitasking. This is easy. Just go to your Makefile and find > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run > > make clean > make > make install > > After that, rsyslogd will run in single- threading mode. Please let me > know if the error then persists, too. > > Please let me know the outcome. > > Rainer > > On Fri, 2005- 10- 28 at 08:46, Rainer Gerhards wrote: > > Hi Dusty, > > > > I first thought this were just a cosmetic problem with the printf. > After > > some review, I think the non- parsable hostname is really causing the > > segfault. I have to admit I am a bit puzzled this did not show up > > earlier. Anyhow, I'll see that I can do something against it today. > > > > Rainer > > > > On Fri, 2005- 10- 28 at 00:07, Dusty Hall wrote: > > > I'm having a problem with rsyslogd seg faulting. The daemon > (1.12.0) is > > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It > doesn't > > > seem to catch the name from the clients leading to a seg fault. > Ideas, > > > workarounds? Any help would be greatly appreciated! > > > > > > > > > - Dusty > > > > > > > > > # /usr/sbin/rsyslogd - d - r 0 - n > > > ...... > > > - 1208042912: Message from UDP inetd socket: #12, host: > xxx.xxx.xxx.xxx > > > - 1208042912: Message length: 46, File descriptor: 12. > > > - 1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg > Oct 27 > > > 16:15:38 snort: GLOBAL CONFIG > > > Segmentation fault > > > > > > > > > server messages file contains: > > > ---------- > > > Oct 27 16:15:39 snort: ,----------- [Flow > Config]---------------------- > > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > > Oct 27 16:15:39 snort: | Hash Method: 2 > > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > > Oct 27 16:15:39 snort: | Rows : 4099 > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > > Oct 27 16:15:39 snort: > `---------------------------------------------- > > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > > > > client messages file contains: > > > --------- > > > Oct 27 10:00:03 fred snort: ,----------- [Flow > > > Config]---------------------- > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > > Oct 27 10:00:03 fred snort: > > > `---------------------------------------------- > > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > > Oct 27 10:00:03 fred snort: Inspection Type: > STATELESS > > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > > /etc/nsm/unicode.map > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog From rgerhards at hq.adiscon.com Wed Nov 9 21:28:47 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 9 Nov 2005 21:28:47 +0100 Subject: [rsyslog] 1.12.0 - Seg Faults Message-ID: <577465F99B41C842AAFBE9ED71E70ABAB690@grfint2.intern.adiscon.com> Dusty, Unfortunately, I do not know of any one. And I do not want to create a wrong impression: RFC 3164 is not a standard but rather an informational document. So nothing is haremd by not following it. The issue is "just" that without that header format we can not process it. I am currently involved in work at the IETF that struggles to get a standard RFC together. As it looks currently, that RFC will be very close to RFC 3164. So it is not bad to plan somewhat ahead ;) Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Dusty Hall > Sent: Wednesday, November 09, 2005 5:53 PM > To: rsyslog at lists.adiscon.com > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > > Rainer, > > Thanks for the information. Do you know of any syslog > daemons that follow the correct RFC and are in the FreeBSD > ports tree? If not, I'm going the route of installing > rsyslogd on the clients :). Thanks again! > > > -Dusty > > > >>> rgerhards at hq.adiscon.com 11/04/05 10:00 am >>> > Dusty, > > this one via the list, because it is of potential interest for others, > too. > > Finally, I found the bug. I have to admit I always thought into the > wrong direction. Now that I got that straight, it was actually easy to > spot. > > The actual cause is that there is a bug in the syslog TAG assignment > function. To fix this, search for MsgSetTag in syslogd.c. Replace it > with this code: > > static void MsgAssignTAG(struct msg *pMsg, char *pBuf) > { > assert(pMsg != NULL); > pMsg- >iLenTAG = (pBuf == NULL) ? 0 : strlen(pBuf); > pMsg- >pszTAG = pBuf; > } > > That will fix the abort. HOWEVER... the root cause (as you rightly > said > ;)) is that the BSD messages do not contain a host name. rsyslogd > parses > according to RFC 3164, where a hostname is required. That RFC is no > standard, so it is OK to send without hostname. The bad news is that > there is nothing inside the message that you can use to detect if > there > is a hostname present or not. The only solution I can think of is to > have the ability to configure custom parsers based on e.g. the message > sender. This is something that rsyslogd currently does not do. So for > the time being, the BSD syslog messages will have the TAG in the > HOSTNAME field. In many cases, you can probably live with that, > especially if you custom- format the templates and apply them on a > per- sender basis. The other alternative is to install rsyslogd on > the > senders, too, because that will obviously relieve you of this issue. > > So, I have mixed news ;) I hope it is still useful for you. > > Rainer > > On Fri, 2005- 10- 28 at 14:54, Dusty Hall wrote: > > Rainer, > > > > First off, I really appreciate your help with this... > > > > I just got through trying both ideas but neither work :(. It seg > > faulted in the same place. > > > > I tried running the daemon a little different here and it actually > > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write it to the > > log, > > thoughts? > > > > /usr/sbin/rsyslogd - d - n - r 0 - l xxx.xxx.xxx.xxx (this > version has > > both > > revisions applied) > > > > Calling selet, active file descriptors (max 12): 3 12 > > > > Successful select, descriptor count = 1, Activity on: 12 > > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > > Message length: 47, File descriptor: 12. > > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct 28 07:48:38 > > snort: GLOBAL CONFIG > > Segmentation fault > > > > > > server messages file: > > ----- > > Oct 28 07:48:38 snort: Writing PID "47582" to file > > "/var/run//snort_fxp0.pid" > > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf > > Oct 28 07:48:38 snort: ,----------- [Flow > Config]---------------------- > > Oct 28 07:48:38 snort: | Stats Interval: 0 > > Oct 28 07:48:38 snort: | Hash Method: 2 > > Oct 28 07:48:38 snort: | Memcap: 10485760 > > Oct 28 07:48:38 snort: | Rows : 4099 > > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) > > Oct 28 07:48:38 snort: > `---------------------------------------------- > > Oct 28 07:48:38 snort: HttpInspect Config: > > > > > > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> > > Dusty, > > > > after some more testing, I am now back to thinking that the printf() > > is > > just a cosmetic problem. The code I was suspecting to have a bug > > actually is OK. > > > > Anyhow, could you please replace the printf at the start of > logmsg(). > > The new version is: > > > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", > > textpri(pri), flags, getRcvFrom(pMsg), msg); > > > > This is all on one line. Search for "logmsg:" in the code, that will > > show you only the to- be- replaced line. > > > > I think the problem will persist after applying this patch. > > > > If so, I now suspect there is a problem with multithreading. It is > > experimental, and that everything works well in my lab does not > really > > mean it will in practice. So if the bug persists, I would like you > to > > disable multitasking. This is easy. Just go to your Makefile and > find > > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run > > > > make clean > > make > > make install > > > > After that, rsyslogd will run in single- threading mode. Please let > me > > know if the error then persists, too. > > > > Please let me know the outcome. > > > > Rainer > > > > On Fri, 2005- 10- 28 at 08:46, Rainer Gerhards wrote: > > > Hi Dusty, > > > > > > I first thought this were just a cosmetic problem with the printf. > > After > > > some review, I think the non- parsable hostname is really causing > the > > > segfault. I have to admit I am a bit puzzled this did not show up > > > earlier. Anyhow, I'll see that I can do something against it > today. > > > > > > Rainer > > > > > > On Fri, 2005- 10- 28 at 00:07, Dusty Hall wrote: > > > > I'm having a problem with rsyslogd seg faulting. The daemon > > (1.12.0) is > > > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It > > doesn't > > > > seem to catch the name from the clients leading to a seg fault. > > Ideas, > > > > workarounds? Any help would be greatly appreciated! > > > > > > > > > > > > - Dusty > > > > > > > > > > > > # /usr/sbin/rsyslogd - d - r 0 - n > > > > ...... > > > > - 1208042912: Message from UDP inetd socket: #12, host: > > xxx.xxx.xxx.xxx > > > > - 1208042912: Message length: 46, File descriptor: 12. > > > > - 1208042912: logmsg: daemon.notice<29>, flags 2, from (null), > msg > > Oct 27 > > > > 16:15:38 snort: GLOBAL CONFIG > > > > Segmentation fault > > > > > > > > > > > > server messages file contains: > > > > ---------- > > > > Oct 27 16:15:39 snort: ,----------- [Flow > > Config]---------------------- > > > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > > > Oct 27 16:15:39 snort: | Hash Method: 2 > > > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > > > Oct 27 16:15:39 snort: | Rows : 4099 > > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > > > Oct 27 16:15:39 snort: > > `---------------------------------------------- > > > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > > > > > > > client messages file contains: > > > > --------- > > > > Oct 27 10:00:03 fred snort: ,----------- [Flow > > > > Config]---------------------- > > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > > > Oct 27 10:00:03 fred snort: > > > > `---------------------------------------------- > > > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > > > Oct 27 10:00:03 fred snort: Inspection Type: > > STATELESS > > > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > > > /etc/nsm/unicode.map > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 > > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > From rgerhards at hq.adiscon.com Thu Nov 10 09:05:28 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Thu, 10 Nov 2005 09:05:28 +0100 Subject: [rsyslog] 1.12.0 - Seg Faults Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3DD4@grfint2.intern.adiscon.com> Dusty, I think I replied too soon ;) I've had another round of hard thinking on the parsing issue. Though I do not yet have anything definite, I have the impression that there is a way to make the parser smart enough to handle BSD messages. So if you can wait a little longer, it might be wise to do so... On the route to the solution a question: The non-BSD systems you have: are they using rsyslogd or any other syslogd? Basically, I am interested to know if their messages contain the hostname and, if so, if the message was generated by rsyslog (one of the solution I have in mind is an extension that would only work if the hostnames are only present in messages sent from rsyslog). Feedback appreciated. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of > Rainer Gerhards > Sent: Wednesday, November 09, 2005 9:29 PM > To: rsyslog-users > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > Dusty, > > Unfortunately, I do not know of any one. And I do not want to create a > wrong impression: RFC 3164 is not a standard but rather an > informational > document. So nothing is haremd by not following it. The issue > is "just" > that without that header format we can not process it. I am currently > involved in work at the IETF that struggles to get a standard RFC > together. As it looks currently, that RFC will be very close to RFC > 3164. So it is not bad to plan somewhat ahead ;) > > Rainer > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com > > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Dusty Hall > > Sent: Wednesday, November 09, 2005 5:53 PM > > To: rsyslog at lists.adiscon.com > > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > > > > > Rainer, > > > > Thanks for the information. Do you know of any syslog > > daemons that follow the correct RFC and are in the FreeBSD > > ports tree? If not, I'm going the route of installing > > rsyslogd on the clients :). Thanks again! > > > > > > -Dusty > > > > > > >>> rgerhards at hq.adiscon.com 11/04/05 10:00 am >>> > > Dusty, > > > > this one via the list, because it is of potential interest > for others, > > too. > > > > Finally, I found the bug. I have to admit I always thought into the > > wrong direction. Now that I got that straight, it was > actually easy to > > spot. > > > > The actual cause is that there is a bug in the syslog TAG assignment > > function. To fix this, search for MsgSetTag in syslogd.c. Replace it > > with this code: > > > > static void MsgAssignTAG(struct msg *pMsg, char *pBuf) > > { > > assert(pMsg != NULL); > > pMsg- >iLenTAG = (pBuf == NULL) ? 0 : strlen(pBuf); > > pMsg- >pszTAG = pBuf; > > } > > > > That will fix the abort. HOWEVER... the root cause (as you rightly > > said > > ;)) is that the BSD messages do not contain a host name. rsyslogd > > parses > > according to RFC 3164, where a hostname is required. That RFC is no > > standard, so it is OK to send without hostname. The bad news is that > > there is nothing inside the message that you can use to detect if > > there > > is a hostname present or not. The only solution I can think of is to > > have the ability to configure custom parsers based on e.g. > the message > > sender. This is something that rsyslogd currently does not > do. So for > > the time being, the BSD syslog messages will have the TAG in the > > HOSTNAME field. In many cases, you can probably live with that, > > especially if you custom- format the templates and apply them on a > > per- sender basis. The other alternative is to install rsyslogd on > > the > > senders, too, because that will obviously relieve you of this issue. > > > > So, I have mixed news ;) I hope it is still useful for you. > > > > Rainer > > > > On Fri, 2005- 10- 28 at 14:54, Dusty Hall wrote: > > > Rainer, > > > > > > First off, I really appreciate your help with this... > > > > > > I just got through trying both ideas but neither work > :(. It seg > > > faulted in the same place. > > > > > > I tried running the daemon a little different here and > it actually > > > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write > it to the > > > log, > > > thoughts? > > > > > > /usr/sbin/rsyslogd - d - n - r 0 - l xxx.xxx.xxx.xxx (this > > version has > > > both > > > revisions applied) > > > > > > Calling selet, active file descriptors (max 12): 3 12 > > > > > > Successful select, descriptor count = 1, Activity on: 12 > > > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > > > Message length: 47, File descriptor: 12. > > > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct > 28 07:48:38 > > > snort: GLOBAL CONFIG > > > Segmentation fault > > > > > > > > > server messages file: > > > ----- > > > Oct 28 07:48:38 snort: Writing PID "47582" to file > > > "/var/run//snort_fxp0.pid" > > > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf > > > Oct 28 07:48:38 snort: ,----------- [Flow > > Config]---------------------- > > > Oct 28 07:48:38 snort: | Stats Interval: 0 > > > Oct 28 07:48:38 snort: | Hash Method: 2 > > > Oct 28 07:48:38 snort: | Memcap: 10485760 > > > Oct 28 07:48:38 snort: | Rows : 4099 > > > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) > > > Oct 28 07:48:38 snort: > > `---------------------------------------------- > > > Oct 28 07:48:38 snort: HttpInspect Config: > > > > > > > > > > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> > > > Dusty, > > > > > > after some more testing, I am now back to thinking that > the printf() > > > is > > > just a cosmetic problem. The code I was suspecting to have a bug > > > actually is OK. > > > > > > Anyhow, could you please replace the printf at the start of > > logmsg(). > > > The new version is: > > > > > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", > > > textpri(pri), flags, getRcvFrom(pMsg), msg); > > > > > > This is all on one line. Search for "logmsg:" in the > code, that will > > > show you only the to- be- replaced line. > > > > > > I think the problem will persist after applying this patch. > > > > > > If so, I now suspect there is a problem with multithreading. It is > > > experimental, and that everything works well in my lab does not > > really > > > mean it will in practice. So if the bug persists, I would like you > > to > > > disable multitasking. This is easy. Just go to your Makefile and > > find > > > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run > > > > > > make clean > > > make > > > make install > > > > > > After that, rsyslogd will run in single- threading mode. > Please let > > me > > > know if the error then persists, too. > > > > > > Please let me know the outcome. > > > > > > Rainer > > > > > > On Fri, 2005- 10- 28 at 08:46, Rainer Gerhards wrote: > > > > Hi Dusty, > > > > > > > > I first thought this were just a cosmetic problem with > the printf. > > > After > > > > some review, I think the non- parsable hostname is > really causing > > the > > > > segfault. I have to admit I am a bit puzzled this did > not show up > > > > earlier. Anyhow, I'll see that I can do something against it > > today. > > > > > > > > Rainer > > > > > > > > On Fri, 2005- 10- 28 at 00:07, Dusty Hall wrote: > > > > > I'm having a problem with rsyslogd seg faulting. The daemon > > > (1.12.0) is > > > > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It > > > doesn't > > > > > seem to catch the name from the clients leading to a > seg fault. > > > Ideas, > > > > > workarounds? Any help would be greatly appreciated! > > > > > > > > > > > > > > > - Dusty > > > > > > > > > > > > > > > # /usr/sbin/rsyslogd - d - r 0 - n > > > > > ...... > > > > > - 1208042912: Message from UDP inetd socket: #12, host: > > > xxx.xxx.xxx.xxx > > > > > - 1208042912: Message length: 46, File descriptor: 12. > > > > > - 1208042912: logmsg: daemon.notice<29>, flags 2, > from (null), > > msg > > > Oct 27 > > > > > 16:15:38 snort: GLOBAL CONFIG > > > > > Segmentation fault > > > > > > > > > > > > > > > server messages file contains: > > > > > ---------- > > > > > Oct 27 16:15:39 snort: ,----------- [Flow > > > Config]---------------------- > > > > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > > > > Oct 27 16:15:39 snort: | Hash Method: 2 > > > > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > > > > Oct 27 16:15:39 snort: | Rows : 4099 > > > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > > > > Oct 27 16:15:39 snort: > > > `---------------------------------------------- > > > > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > > > > > > > > > > client messages file contains: > > > > > --------- > > > > > Oct 27 10:00:03 fred snort: ,----------- [Flow > > > > > Config]---------------------- > > > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > > > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > > > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > > > > Oct 27 10:00:03 fred snort: > > > > > `---------------------------------------------- > > > > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > > > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > > > > Oct 27 10:00:03 fred snort: Inspection Type: > > > STATELESS > > > > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > > > > /etc/nsm/unicode.map > > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map > Codepage: 1252 > > > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > rsyslog mailing list > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > From rgerhards at hq.adiscon.com Thu Nov 10 09:38:07 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Thu, 10 Nov 2005 09:38:07 +0100 Subject: [rsyslog] 1.12.0 - Seg Faults In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA0E3DD4@grfint2.intern.adiscon.com> References: <577465F99B41C842AAFBE9ED71E70ABA0E3DD4@grfint2.intern.adiscon.com> Message-ID: <1131611887.2188.4.camel@rh9lt.intern.adiscon.com> Dusty, actually, now that I had thought about what can be done, implementing it was straightforward (surprisingly easy actually). Sometimes it pays to think a little bit harder ;) Anyhow... While it works in my lab, there is a certain part of guesswork involved. I am not sure if it will work in your environment. I will send you an updated syslogd.c via private mail, I'd appreciate if you could give it a try. Rainer On Thu, 2005-11-10 at 09:05, Rainer Gerhards wrote: > Dusty, > > I think I replied too soon ;) I've had another round of hard thinking on > the parsing issue. Though I do not yet have anything definite, I have > the impression that there is a way to make the parser smart enough to > handle BSD messages. So if you can wait a little longer, it might be > wise to do so... > > On the route to the solution a question: The non-BSD systems you have: > are they using rsyslogd or any other syslogd? Basically, I am interested > to know if their messages contain the hostname and, if so, if the > message was generated by rsyslog (one of the solution I have in mind is > an extension that would only work if the hostnames are only present in > messages sent from rsyslog). > > Feedback appreciated. > > Rainer > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com > > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of > > Rainer Gerhards > > Sent: Wednesday, November 09, 2005 9:29 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > > > Dusty, > > > > Unfortunately, I do not know of any one. And I do not want to create a > > wrong impression: RFC 3164 is not a standard but rather an > > informational > > document. So nothing is haremd by not following it. The issue > > is "just" > > that without that header format we can not process it. I am currently > > involved in work at the IETF that struggles to get a standard RFC > > together. As it looks currently, that RFC will be very close to RFC > > 3164. So it is not bad to plan somewhat ahead ;) > > > > Rainer > > > > > -----Original Message----- > > > From: rsyslog-bounces at lists.adiscon.com > > > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Dusty Hall > > > Sent: Wednesday, November 09, 2005 5:53 PM > > > To: rsyslog at lists.adiscon.com > > > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > > > > > > > > Rainer, > > > > > > Thanks for the information. Do you know of any syslog > > > daemons that follow the correct RFC and are in the FreeBSD > > > ports tree? If not, I'm going the route of installing > > > rsyslogd on the clients :). Thanks again! > > > > > > > > > -Dusty > > > > > > > > > >>> rgerhards at hq.adiscon.com 11/04/05 10:00 am >>> > > > Dusty, > > > > > > this one via the list, because it is of potential interest > > for others, > > > too. > > > > > > Finally, I found the bug. I have to admit I always thought into the > > > wrong direction. Now that I got that straight, it was > > actually easy to > > > spot. > > > > > > The actual cause is that there is a bug in the syslog TAG assignment > > > function. To fix this, search for MsgSetTag in syslogd.c. Replace it > > > with this code: > > > > > > static void MsgAssignTAG(struct msg *pMsg, char *pBuf) > > > { > > > assert(pMsg != NULL); > > > pMsg- >iLenTAG = (pBuf == NULL) ? 0 : strlen(pBuf); > > > pMsg- >pszTAG = pBuf; > > > } > > > > > > That will fix the abort. HOWEVER... the root cause (as you rightly > > > said > > > ;)) is that the BSD messages do not contain a host name. rsyslogd > > > parses > > > according to RFC 3164, where a hostname is required. That RFC is no > > > standard, so it is OK to send without hostname. The bad news is that > > > there is nothing inside the message that you can use to detect if > > > there > > > is a hostname present or not. The only solution I can think of is to > > > have the ability to configure custom parsers based on e.g. > > the message > > > sender. This is something that rsyslogd currently does not > > do. So for > > > the time being, the BSD syslog messages will have the TAG in the > > > HOSTNAME field. In many cases, you can probably live with that, > > > especially if you custom- format the templates and apply them on a > > > per- sender basis. The other alternative is to install rsyslogd on > > > the > > > senders, too, because that will obviously relieve you of this issue. > > > > > > So, I have mixed news ;) I hope it is still useful for you. > > > > > > Rainer > > > > > > On Fri, 2005- 10- 28 at 14:54, Dusty Hall wrote: > > > > Rainer, > > > > > > > > First off, I really appreciate your help with this... > > > > > > > > I just got through trying both ideas but neither work > > :(. It seg > > > > faulted in the same place. > > > > > > > > I tried running the daemon a little different here and > > it actually > > > > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write > > it to the > > > > log, > > > > thoughts? > > > > > > > > /usr/sbin/rsyslogd - d - n - r 0 - l xxx.xxx.xxx.xxx (this > > > version has > > > > both > > > > revisions applied) > > > > > > > > Calling selet, active file descriptors (max 12): 3 12 > > > > > > > > Successful select, descriptor count = 1, Activity on: 12 > > > > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > > > > Message length: 47, File descriptor: 12. > > > > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct > > 28 07:48:38 > > > > snort: GLOBAL CONFIG > > > > Segmentation fault > > > > > > > > > > > > server messages file: > > > > ----- > > > > Oct 28 07:48:38 snort: Writing PID "47582" to file > > > > "/var/run//snort_fxp0.pid" > > > > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf > > > > Oct 28 07:48:38 snort: ,----------- [Flow > > > Config]---------------------- > > > > Oct 28 07:48:38 snort: | Stats Interval: 0 > > > > Oct 28 07:48:38 snort: | Hash Method: 2 > > > > Oct 28 07:48:38 snort: | Memcap: 10485760 > > > > Oct 28 07:48:38 snort: | Rows : 4099 > > > > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) > > > > Oct 28 07:48:38 snort: > > > `---------------------------------------------- > > > > Oct 28 07:48:38 snort: HttpInspect Config: > > > > > > > > > > > > > > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> > > > > Dusty, > > > > > > > > after some more testing, I am now back to thinking that > > the printf() > > > > is > > > > just a cosmetic problem. The code I was suspecting to have a bug > > > > actually is OK. > > > > > > > > Anyhow, could you please replace the printf at the start of > > > logmsg(). > > > > The new version is: > > > > > > > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", > > > > textpri(pri), flags, getRcvFrom(pMsg), msg); > > > > > > > > This is all on one line. Search for "logmsg:" in the > > code, that will > > > > show you only the to- be- replaced line. > > > > > > > > I think the problem will persist after applying this patch. > > > > > > > > If so, I now suspect there is a problem with multithreading. It is > > > > experimental, and that everything works well in my lab does not > > > really > > > > mean it will in practice. So if the bug persists, I would like you > > > to > > > > disable multitasking. This is easy. Just go to your Makefile and > > > find > > > > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run > > > > > > > > make clean > > > > make > > > > make install > > > > > > > > After that, rsyslogd will run in single- threading mode. > > Please let > > > me > > > > know if the error then persists, too. > > > > > > > > Please let me know the outcome. > > > > > > > > Rainer > > > > > > > > On Fri, 2005- 10- 28 at 08:46, Rainer Gerhards wrote: > > > > > Hi Dusty, > > > > > > > > > > I first thought this were just a cosmetic problem with > > the printf. > > > > After > > > > > some review, I think the non- parsable hostname is > > really causing > > > the > > > > > segfault. I have to admit I am a bit puzzled this did > > not show up > > > > > earlier. Anyhow, I'll see that I can do something against it > > > today. > > > > > > > > > > Rainer > > > > > > > > > > On Fri, 2005- 10- 28 at 00:07, Dusty Hall wrote: > > > > > > I'm having a problem with rsyslogd seg faulting. The daemon > > > > (1.12.0) is > > > > > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It > > > > doesn't > > > > > > seem to catch the name from the clients leading to a > > seg fault. > > > > Ideas, > > > > > > workarounds? Any help would be greatly appreciated! > > > > > > > > > > > > > > > > > > - Dusty > > > > > > > > > > > > > > > > > > # /usr/sbin/rsyslogd - d - r 0 - n > > > > > > ...... > > > > > > - 1208042912: Message from UDP inetd socket: #12, host: > > > > xxx.xxx.xxx.xxx > > > > > > - 1208042912: Message length: 46, File descriptor: 12. > > > > > > - 1208042912: logmsg: daemon.notice<29>, flags 2, > > from (null), > > > msg > > > > Oct 27 > > > > > > 16:15:38 snort: GLOBAL CONFIG > > > > > > Segmentation fault > > > > > > > > > > > > > > > > > > server messages file contains: > > > > > > ---------- > > > > > > Oct 27 16:15:39 snort: ,----------- [Flow > > > > Config]---------------------- > > > > > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > > > > > Oct 27 16:15:39 snort: | Hash Method: 2 > > > > > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > > > > > Oct 27 16:15:39 snort: | Rows : 4099 > > > > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > > > > > Oct 27 16:15:39 snort: > > > > `---------------------------------------------- > > > > > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > > > > > > > > > > > > > client messages file contains: > > > > > > --------- > > > > > > Oct 27 10:00:03 fred snort: ,----------- [Flow > > > > > > Config]---------------------- > > > > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > > > > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > > > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > > > > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > > > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > > > > > Oct 27 10:00:03 fred snort: > > > > > > `---------------------------------------------- > > > > > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > > > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > > > > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > > > > > Oct 27 10:00:03 fred snort: Inspection Type: > > > > STATELESS > > > > > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > > > > > /etc/nsm/unicode.map > > > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map > > Codepage: 1252 > > > > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > rsyslog mailing list > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > > _______________________________________________ > > > > > rsyslog mailing list > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog From rgerhards at hq.adiscon.com Mon Nov 14 14:56:24 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Mon, 14 Nov 2005 14:56:24 +0100 Subject: [rsyslog] rsyslog 1.0.3 released (stable branch) Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3E24@grfint2.intern.adiscon.com> Dear all, I have just released rsyslog 1.0.3, a maintenance release for the stable branch. It contains a number of important fixes which have been trialed in the development branch, first. There are no new features. This release is meant for all those interested in keeping their stable branch rsyslogd up to date. Please note that it does offer considerably less features than the current development branch. So this is not an update for users of the development branch. The change log can be found at http://www.rsyslog.com/Article49.phtml I hope this work is useful. Rainer Gerhards From viktorija at oic.lv Tue Nov 15 10:59:51 2005 From: viktorija at oic.lv (Viktorija) Date: Tue, 15 Nov 2005 11:59:51 +0200 Subject: [rsyslog] logs to mysql database Message-ID: <20051115115951.40526edc.viktorija@oic.lv> Hello, am newbie in rsyslog. So please try understand me :) I have following problem/task/wish. I want all incoming logs from servers insert to mysql. Ok that's not a problem, but i want merge logs by hostnames and insert each log from one hostname to $hostname table. It is something like log sorting by hostname only to sql tables. I think it is possible with templates, but not sure. Maybe somebody could give me a right way how to do it. If it's possible of course :) Thanks, Viktorija From rgerhards at hq.adiscon.com Tue Nov 15 11:21:49 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 15 Nov 2005 11:21:49 +0100 Subject: [rsyslog] logs to mysql database Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3E31@grfint2.intern.adiscon.com> I think it is doable, but it probably is a bit dangerous. I am also not sure if MySQL allows you to define tables named like hostnames. Could you please let me know some hostnames of yours (maybe samples, I am just interested in the actual structure) as well as some matching IP addresses. I'll then see what I can do... Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Viktorija > Sent: Tuesday, November 15, 2005 11:00 AM > To: rsyslog at lists.adiscon.com > Subject: [rsyslog] logs to mysql database > > Hello, > > am newbie in rsyslog. So please try understand me :) > I have following problem/task/wish. > I want all incoming logs from servers insert to mysql. Ok > that's not a problem, but i want merge logs by hostnames and > insert each log from one hostname to $hostname table. It is > something like log sorting by hostname only to sql tables. > I think it is possible with templates, but not sure. > Maybe somebody could give me a right way how to do it. If > it's possible of course :) > > > Thanks, > Viktorija > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > From viktorija at oic.lv Tue Nov 15 11:36:40 2005 From: viktorija at oic.lv (Viktorija) Date: Tue, 15 Nov 2005 12:36:40 +0200 Subject: [rsyslog] logs to mysql database In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA0E3E31@grfint2.intern.adiscon.com> References: <577465F99B41C842AAFBE9ED71E70ABA0E3E31@grfint2.intern.adiscon.com> Message-ID: <20051115123640.02ff1347.viktorija@oic.lv> I have standard names not something special :) I have hostnames like: sun, liberatio, nafig, pofig, nefig an so on :) Oh, ip addresses are virtual so it will not give you any additional information. Do you think it is possible to make with templates? Or another way? Viktorija On Tue, 15 Nov 2005 11:21:49 +0100 "Rainer Gerhards" wrote: > I think it is doable, but it probably is a bit dangerous. I am also not > sure if MySQL allows you to define tables named like hostnames. Could > you please let me know some hostnames of yours (maybe samples, I am just > interested in the actual structure) as well as some matching IP > addresses. I'll then see what I can do... > > Rainer > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com > > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Viktorija > > Sent: Tuesday, November 15, 2005 11:00 AM > > To: rsyslog at lists.adiscon.com > > Subject: [rsyslog] logs to mysql database > > > > Hello, > > > > am newbie in rsyslog. So please try understand me :) > > I have following problem/task/wish. > > I want all incoming logs from servers insert to mysql. Ok > > that's not a problem, but i want merge logs by hostnames and > > insert each log from one hostname to $hostname table. It is > > something like log sorting by hostname only to sql tables. > > I think it is possible with templates, but not sure. > > Maybe somebody could give me a right way how to do it. If > > it's possible of course :) > > > > > > Thanks, > > Viktorija > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > > From rgerhards at hq.adiscon.com Tue Nov 15 17:32:14 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 15 Nov 2005 17:32:14 +0100 Subject: [rsyslog] 1.12.0 - Seg Faults Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3E44@grfint2.intern.adiscon.com> An update to the mailing list: I have worked with Dusty on further improvements of the algorithm. As it looks currently, the new algo properly detects messages without hostnames in them and processes them accordingly. Currently, this functionality is only available via the CVS server. I plan to release an official package some time next week, which will then include that functionality. In the mean time, use anonymous CVS. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of > Rainer Gerhards > Sent: Thursday, November 10, 2005 9:38 AM > To: rsyslog-users > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > Dusty, > > actually, now that I had thought about what can be done, > implementing it > was straightforward (surprisingly easy actually). Sometimes it pays to > think a little bit harder ;) > > Anyhow... While it works in my lab, there is a certain part > of guesswork > involved. I am not sure if it will work in your environment. > I will send > you an updated syslogd.c via private mail, I'd appreciate if you could > give it a try. > > Rainer > On Thu, 2005-11-10 at 09:05, Rainer Gerhards wrote: > > Dusty, > > > > I think I replied too soon ;) I've had another round of > hard thinking on > > the parsing issue. Though I do not yet have anything > definite, I have > > the impression that there is a way to make the parser smart > enough to > > handle BSD messages. So if you can wait a little longer, it might be > > wise to do so... > > > > On the route to the solution a question: The non-BSD > systems you have: > > are they using rsyslogd or any other syslogd? Basically, I > am interested > > to know if their messages contain the hostname and, if so, if the > > message was generated by rsyslog (one of the solution I > have in mind is > > an extension that would only work if the hostnames are only > present in > > messages sent from rsyslog). > > > > Feedback appreciated. > > > > Rainer > > > > > -----Original Message----- > > > From: rsyslog-bounces at lists.adiscon.com > > > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of > > > Rainer Gerhards > > > Sent: Wednesday, November 09, 2005 9:29 PM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > > > > > Dusty, > > > > > > Unfortunately, I do not know of any one. And I do not > want to create a > > > wrong impression: RFC 3164 is not a standard but rather an > > > informational > > > document. So nothing is haremd by not following it. The issue > > > is "just" > > > that without that header format we can not process it. I > am currently > > > involved in work at the IETF that struggles to get a standard RFC > > > together. As it looks currently, that RFC will be very > close to RFC > > > 3164. So it is not bad to plan somewhat ahead ;) > > > > > > Rainer > > > > > > > -----Original Message----- > > > > From: rsyslog-bounces at lists.adiscon.com > > > > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of > Dusty Hall > > > > Sent: Wednesday, November 09, 2005 5:53 PM > > > > To: rsyslog at lists.adiscon.com > > > > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > > > > > > > > > > > Rainer, > > > > > > > > Thanks for the information. Do you know of any syslog > > > > daemons that follow the correct RFC and are in the FreeBSD > > > > ports tree? If not, I'm going the route of installing > > > > rsyslogd on the clients :). Thanks again! > > > > > > > > > > > > -Dusty > > > > > > > > > > > > >>> rgerhards at hq.adiscon.com 11/04/05 10:00 am >>> > > > > Dusty, > > > > > > > > this one via the list, because it is of potential interest > > > for others, > > > > too. > > > > > > > > Finally, I found the bug. I have to admit I always > thought into the > > > > wrong direction. Now that I got that straight, it was > > > actually easy to > > > > spot. > > > > > > > > The actual cause is that there is a bug in the syslog > TAG assignment > > > > function. To fix this, search for MsgSetTag in > syslogd.c. Replace it > > > > with this code: > > > > > > > > static void MsgAssignTAG(struct msg *pMsg, char *pBuf) > > > > { > > > > assert(pMsg != NULL); > > > > pMsg- >iLenTAG = (pBuf == NULL) ? 0 : strlen(pBuf); > > > > pMsg- >pszTAG = pBuf; > > > > } > > > > > > > > That will fix the abort. HOWEVER... the root cause (as > you rightly > > > > said > > > > ;)) is that the BSD messages do not contain a host > name. rsyslogd > > > > parses > > > > according to RFC 3164, where a hostname is required. > That RFC is no > > > > standard, so it is OK to send without hostname. The bad > news is that > > > > there is nothing inside the message that you can use to > detect if > > > > there > > > > is a hostname present or not. The only solution I can > think of is to > > > > have the ability to configure custom parsers based on e.g. > > > the message > > > > sender. This is something that rsyslogd currently does not > > > do. So for > > > > the time being, the BSD syslog messages will have the TAG in the > > > > HOSTNAME field. In many cases, you can probably live with that, > > > > especially if you custom- format the templates and > apply them on a > > > > per- sender basis. The other alternative is to install > rsyslogd on > > > > the > > > > senders, too, because that will obviously relieve you > of this issue. > > > > > > > > So, I have mixed news ;) I hope it is still useful for you. > > > > > > > > Rainer > > > > > > > > On Fri, 2005- 10- 28 at 14:54, Dusty Hall wrote: > > > > > Rainer, > > > > > > > > > > First off, I really appreciate your help with this... > > > > > > > > > > I just got through trying both ideas but neither work > > > :(. It seg > > > > > faulted in the same place. > > > > > > > > > > I tried running the daemon a little different here and > > > it actually > > > > > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write > > > it to the > > > > > log, > > > > > thoughts? > > > > > > > > > > /usr/sbin/rsyslogd - d - n - r 0 - l > xxx.xxx.xxx.xxx (this > > > > version has > > > > > both > > > > > revisions applied) > > > > > > > > > > Calling selet, active file descriptors (max 12): 3 12 > > > > > > > > > > Successful select, descriptor count = 1, Activity on: 12 > > > > > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > > > > > Message length: 47, File descriptor: 12. > > > > > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct > > > 28 07:48:38 > > > > > snort: GLOBAL CONFIG > > > > > Segmentation fault > > > > > > > > > > > > > > > server messages file: > > > > > ----- > > > > > Oct 28 07:48:38 snort: Writing PID "47582" to file > > > > > "/var/run//snort_fxp0.pid" > > > > > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf > > > > > Oct 28 07:48:38 snort: ,----------- [Flow > > > > Config]---------------------- > > > > > Oct 28 07:48:38 snort: | Stats Interval: 0 > > > > > Oct 28 07:48:38 snort: | Hash Method: 2 > > > > > Oct 28 07:48:38 snort: | Memcap: 10485760 > > > > > Oct 28 07:48:38 snort: | Rows : 4099 > > > > > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) > > > > > Oct 28 07:48:38 snort: > > > > `---------------------------------------------- > > > > > Oct 28 07:48:38 snort: HttpInspect Config: > > > > > > > > > > > > > > > > > > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> > > > > > Dusty, > > > > > > > > > > after some more testing, I am now back to thinking that > > > the printf() > > > > > is > > > > > just a cosmetic problem. The code I was suspecting to > have a bug > > > > > actually is OK. > > > > > > > > > > Anyhow, could you please replace the printf at the start of > > > > logmsg(). > > > > > The new version is: > > > > > > > > > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", > > > > > textpri(pri), flags, getRcvFrom(pMsg), msg); > > > > > > > > > > This is all on one line. Search for "logmsg:" in the > > > code, that will > > > > > show you only the to- be- replaced line. > > > > > > > > > > I think the problem will persist after applying this patch. > > > > > > > > > > If so, I now suspect there is a problem with > multithreading. It is > > > > > experimental, and that everything works well in my > lab does not > > > > really > > > > > mean it will in practice. So if the bug persists, I > would like you > > > > to > > > > > disable multitasking. This is easy. Just go to your > Makefile and > > > > find > > > > > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run > > > > > > > > > > make clean > > > > > make > > > > > make install > > > > > > > > > > After that, rsyslogd will run in single- threading mode. > > > Please let > > > > me > > > > > know if the error then persists, too. > > > > > > > > > > Please let me know the outcome. > > > > > > > > > > Rainer > > > > > > > > > > On Fri, 2005- 10- 28 at 08:46, Rainer Gerhards wrote: > > > > > > Hi Dusty, > > > > > > > > > > > > I first thought this were just a cosmetic problem with > > > the printf. > > > > > After > > > > > > some review, I think the non- parsable hostname is > > > really causing > > > > the > > > > > > segfault. I have to admit I am a bit puzzled this did > > > not show up > > > > > > earlier. Anyhow, I'll see that I can do something against it > > > > today. > > > > > > > > > > > > Rainer > > > > > > > > > > > > On Fri, 2005- 10- 28 at 00:07, Dusty Hall wrote: > > > > > > > I'm having a problem with rsyslogd seg faulting. > The daemon > > > > > (1.12.0) is > > > > > > > running on RHEL 4 and the clients are FreeBSD 4.x > & 5.x. It > > > > > doesn't > > > > > > > seem to catch the name from the clients leading to a > > > seg fault. > > > > > Ideas, > > > > > > > workarounds? Any help would be greatly appreciated! > > > > > > > > > > > > > > > > > > > > > - Dusty > > > > > > > > > > > > > > > > > > > > > # /usr/sbin/rsyslogd - d - r 0 - n > > > > > > > ...... > > > > > > > - 1208042912: Message from UDP inetd socket: #12, host: > > > > > xxx.xxx.xxx.xxx > > > > > > > - 1208042912: Message length: 46, File descriptor: 12. > > > > > > > - 1208042912: logmsg: daemon.notice<29>, flags 2, > > > from (null), > > > > msg > > > > > Oct 27 > > > > > > > 16:15:38 snort: GLOBAL CONFIG > > > > > > > Segmentation fault > > > > > > > > > > > > > > > > > > > > > server messages file contains: > > > > > > > ---------- > > > > > > > Oct 27 16:15:39 snort: ,----------- [Flow > > > > > Config]---------------------- > > > > > > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > > > > > > Oct 27 16:15:39 snort: | Hash Method: 2 > > > > > > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > > > > > > Oct 27 16:15:39 snort: | Rows : 4099 > > > > > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > > > > > > Oct 27 16:15:39 snort: > > > > > `---------------------------------------------- > > > > > > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > > > > > > > > > > > > > > > > client messages file contains: > > > > > > > --------- > > > > > > > Oct 27 10:00:03 fred snort: ,----------- [Flow > > > > > > > Config]---------------------- > > > > > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > > > > > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > > > > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > > > > > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > > > > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: > 32800(%0.31) > > > > > > > Oct 27 10:00:03 fred snort: > > > > > > > `---------------------------------------------- > > > > > > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > > > > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > > > > > > Oct 27 10:00:03 fred snort: Max Pipeline > Requests: 0 > > > > > > > Oct 27 10:00:03 fred snort: Inspection Type: > > > > > STATELESS > > > > > > > Oct 27 10:00:03 fred snort: Detect Proxy > Usage: NO > > > > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map > Filename: > > > > > > > /etc/nsm/unicode.map > > > > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map > > > Codepage: 1252 > > > > > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > rsyslog mailing list > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > > > > _______________________________________________ > > > > > > rsyslog mailing list > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > > _______________________________________________ > > > > > rsyslog mailing list > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > > _______________________________________________ > > > > > rsyslog mailing list > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > From rgerhards at hq.adiscon.com Wed Nov 23 12:47:52 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 23 Nov 2005 12:47:52 +0100 Subject: [rsyslog] rsyslog 1.12.1 released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3EF2@grfint2.intern.adiscon.com> Hi all, I am glad to announce rsyslog 1.12.1. This release features a much-enhanced message parser which is capable of better understanding different syslog message formats. For example, BSD syslogd (and others) does not include a host name inside the message. With 1.12.1, an algorithm is used to detect whether or not the hostname is present and the parsed fields are adjusted accordingly. This makes it much easier to integrate rsyslogd into an environment with other syslog senders. Also, threading support for BSD has been completed and a number of bugs have been fixed. For users of the development branch, I suggest upgrading to this release. The change log can be found at http://www.rsyslog.com/Article51.phtml The download can be found at http://www.rsyslog.com/Downloads-index-req-getit-lid-25.phtml I hope this work is useful, Rainer Gerhards From rgerhards at hq.adiscon.com Wed Nov 2 09:19:39 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 2 Nov 2005 09:19:39 +0100 Subject: [rsyslog] 1.12.0 - Seg Faults Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3D29@grfint2.intern.adiscon.com> Dusty, sorry for the late reply, I actually overlooked the message :( I think I need to set up a new lab. Looks like it actually has to do with the message content. I've no indication from the code review, but obviously there must be a bug hiding ;) I am not sure if I can do the lab today as I am working on some really pressing things... Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Dusty Hall > Sent: Friday, October 28, 2005 2:54 PM > To: rsyslog at lists.adiscon.com > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > Rainer, > > First off, I really appreciate your help with this... > > I just got through trying both ideas but neither work :(. It seg > faulted in the same place. > > I tried running the daemon a little different here and it actually > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write it > to the log, > thoughts? > > /usr/sbin/rsyslogd -d -n -r 0 -l xxx.xxx.xxx.xxx (this > version has both > revisions applied) > > Calling selet, active file descriptors (max 12): 3 12 > > Successful select, descriptor count = 1, Activity on: 12 > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > Message length: 47, File descriptor: 12. > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct 28 07:48:38 > snort: GLOBAL CONFIG > Segmentation fault > > > server messages file: > ----- > Oct 28 07:48:38 snort: Writing PID "47582" to file > "/var/run//snort_fxp0.pid" > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf > Oct 28 07:48:38 snort: ,-----------[Flow > Config]---------------------- > Oct 28 07:48:38 snort: | Stats Interval: 0 > Oct 28 07:48:38 snort: | Hash Method: 2 > Oct 28 07:48:38 snort: | Memcap: 10485760 > Oct 28 07:48:38 snort: | Rows : 4099 > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) > Oct 28 07:48:38 snort: > `---------------------------------------------- > Oct 28 07:48:38 snort: HttpInspect Config: > > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> > Dusty, > > after some more testing, I am now back to thinking that the > printf() is > just a cosmetic problem. The code I was suspecting to have a bug > actually is OK. > > Anyhow, could you please replace the printf at the start of logmsg(). > The new version is: > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", > textpri(pri), flags, getRcvFrom(pMsg), msg); > > This is all on one line. Search for "logmsg:" in the code, that will > show you only the to-be-replaced line. > > I think the problem will persist after applying this patch. > > If so, I now suspect there is a problem with multithreading. It is > experimental, and that everything works well in my lab does not really > mean it will in practice. So if the bug persists, I would like you to > disable multitasking. This is easy. Just go to your Makefile and find > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run > > make clean > make > make install > > After that, rsyslogd will run in single-threading mode. Please let me > know if the error then persists, too. > > Please let me know the outcome. > > Rainer > > On Fri, 2005-10-28 at 08:46, Rainer Gerhards wrote: > > Hi Dusty, > > > > I first thought this were just a cosmetic problem with the printf. > After > > some review, I think the non-parsable hostname is really causing the > > segfault. I have to admit I am a bit puzzled this did not show up > > earlier. Anyhow, I'll see that I can do something against it today. > > > > Rainer > > > > On Fri, 2005-10-28 at 00:07, Dusty Hall wrote: > > > I'm having a problem with rsyslogd seg faulting. The daemon > (1.12.0) is > > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. > It doesn't > > > seem to catch the name from the clients leading to a seg fault. > Ideas, > > > workarounds? Any help would be greatly appreciated! > > > > > > > > > -Dusty > > > > > > > > > # /usr/sbin/rsyslogd -d -r 0 -n > > > ...... > > > -1208042912: Message from UDP inetd socket: #12, host: > xxx.xxx.xxx.xxx > > > -1208042912: Message length: 46, File descriptor: 12. > > > -1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg > Oct 27 > > > 16:15:38 snort: GLOBAL CONFIG > > > Segmentation fault > > > > > > > > > server messages file contains: > > > ---------- > > > Oct 27 16:15:39 snort: ,-----------[Flow > Config]---------------------- > > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > > Oct 27 16:15:39 snort: | Hash Method: 2 > > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > > Oct 27 16:15:39 snort: | Rows : 4099 > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > > Oct 27 16:15:39 snort: > `---------------------------------------------- > > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > > > > client messages file contains: > > > --------- > > > Oct 27 10:00:03 fred snort: ,-----------[Flow > > > Config]---------------------- > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > > Oct 27 10:00:03 fred snort: > > > `---------------------------------------------- > > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > > Oct 27 10:00:03 fred snort: Inspection Type: > STATELESS > > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > > /etc/nsm/unicode.map > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > From halljer at auburn.edu Wed Nov 2 16:17:30 2005 From: halljer at auburn.edu (Dusty Hall) Date: Wed, 02 Nov 2005 09:17:30 -0600 Subject: [rsyslog] 1.12.0 - Seg Faults In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA0E3D29@grfint2.intern.adiscon.com> References: <577465F99B41C842AAFBE9ED71E70ABA0E3D29@grfint2.intern.adiscon.com> Message-ID: <4368842E.8529.003A.0@auburn.edu> Rainer, No problem. FYI, this is also happening with OpenBSD :(. Nov 1 13:35:05 syslogd: restart Nov 1 13:35:05 /bsd: OpenBSD 3.7 (GENERIC) #312: Mon Mar 21 00:14:33 MST 2005 --- seg faults here --- Thanks, -Dusty >>> rgerhards at hq.adiscon.com 11/02/05 2:19 am >>> Dusty, sorry for the late reply, I actually overlooked the message :( I think I need to set up a new lab. Looks like it actually has to do with the message content. I've no indication from the code review, but obviously there must be a bug hiding ;) I am not sure if I can do the lab today as I am working on some really pressing things... Rainer > ----- Original Message----- > From: rsyslog- bounces at lists.adiscon.com > [mailto:rsyslog- bounces at lists.adiscon.com] On Behalf Of Dusty Hall > Sent: Friday, October 28, 2005 2:54 PM > To: rsyslog at lists.adiscon.com > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > Rainer, > > First off, I really appreciate your help with this... > > I just got through trying both ideas but neither work :(. It seg > faulted in the same place. > > I tried running the daemon a little different here and it actually > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write it > to the log, > thoughts? > > /usr/sbin/rsyslogd - d - n - r 0 - l xxx.xxx.xxx.xxx (this > version has both > revisions applied) > > Calling selet, active file descriptors (max 12): 3 12 > > Successful select, descriptor count = 1, Activity on: 12 > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > Message length: 47, File descriptor: 12. > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct 28 07:48:38 > snort: GLOBAL CONFIG > Segmentation fault > > > server messages file: > ----- > Oct 28 07:48:38 snort: Writing PID "47582" to file > "/var/run//snort_fxp0.pid" > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf > Oct 28 07:48:38 snort: ,----------- [Flow > Config]---------------------- > Oct 28 07:48:38 snort: | Stats Interval: 0 > Oct 28 07:48:38 snort: | Hash Method: 2 > Oct 28 07:48:38 snort: | Memcap: 10485760 > Oct 28 07:48:38 snort: | Rows : 4099 > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) > Oct 28 07:48:38 snort: > `---------------------------------------------- > Oct 28 07:48:38 snort: HttpInspect Config: > > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> > Dusty, > > after some more testing, I am now back to thinking that the > printf() is > just a cosmetic problem. The code I was suspecting to have a bug > actually is OK. > > Anyhow, could you please replace the printf at the start of logmsg(). > The new version is: > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", > textpri(pri), flags, getRcvFrom(pMsg), msg); > > This is all on one line. Search for "logmsg:" in the code, that will > show you only the to- be- replaced line. > > I think the problem will persist after applying this patch. > > If so, I now suspect there is a problem with multithreading. It is > experimental, and that everything works well in my lab does not really > mean it will in practice. So if the bug persists, I would like you to > disable multitasking. This is easy. Just go to your Makefile and find > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run > > make clean > make > make install > > After that, rsyslogd will run in single- threading mode. Please let me > know if the error then persists, too. > > Please let me know the outcome. > > Rainer > > On Fri, 2005- 10- 28 at 08:46, Rainer Gerhards wrote: > > Hi Dusty, > > > > I first thought this were just a cosmetic problem with the printf. > After > > some review, I think the non- parsable hostname is really causing the > > segfault. I have to admit I am a bit puzzled this did not show up > > earlier. Anyhow, I'll see that I can do something against it today. > > > > Rainer > > > > On Fri, 2005- 10- 28 at 00:07, Dusty Hall wrote: > > > I'm having a problem with rsyslogd seg faulting. The daemon > (1.12.0) is > > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. > It doesn't > > > seem to catch the name from the clients leading to a seg fault. > Ideas, > > > workarounds? Any help would be greatly appreciated! > > > > > > > > > - Dusty > > > > > > > > > # /usr/sbin/rsyslogd - d - r 0 - n > > > ...... > > > - 1208042912: Message from UDP inetd socket: #12, host: > xxx.xxx.xxx.xxx > > > - 1208042912: Message length: 46, File descriptor: 12. > > > - 1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg > Oct 27 > > > 16:15:38 snort: GLOBAL CONFIG > > > Segmentation fault > > > > > > > > > server messages file contains: > > > ---------- > > > Oct 27 16:15:39 snort: ,----------- [Flow > Config]---------------------- > > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > > Oct 27 16:15:39 snort: | Hash Method: 2 > > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > > Oct 27 16:15:39 snort: | Rows : 4099 > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > > Oct 27 16:15:39 snort: > `---------------------------------------------- > > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > > > > client messages file contains: > > > --------- > > > Oct 27 10:00:03 fred snort: ,----------- [Flow > > > Config]---------------------- > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > > Oct 27 10:00:03 fred snort: > > > `---------------------------------------------- > > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > > Oct 27 10:00:03 fred snort: Inspection Type: > STATELESS > > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > > /etc/nsm/unicode.map > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog From rgerhards at hq.adiscon.com Fri Nov 4 17:00:56 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 04 Nov 2005 17:00:56 +0100 Subject: [rsyslog] 1.12.0 - Seg Faults In-Reply-To: <4361D92C0200003A0000098B@groupwise1.duc.auburn.edu> References: <4361D92C0200003A0000098B@groupwise1.duc.auburn.edu> Message-ID: <1131120055.2186.66.camel@rh9lt.intern.adiscon.com> Dusty, this one via the list, because it is of potential interest for others, too. Finally, I found the bug. I have to admit I always thought into the wrong direction. Now that I got that straight, it was actually easy to spot. The actual cause is that there is a bug in the syslog TAG assignment function. To fix this, search for MsgSetTag in syslogd.c. Replace it with this code: static void MsgAssignTAG(struct msg *pMsg, char *pBuf) { assert(pMsg != NULL); pMsg->iLenTAG = (pBuf == NULL) ? 0 : strlen(pBuf); pMsg->pszTAG = pBuf; } That will fix the abort. HOWEVER... the root cause (as you rightly said ;)) is that the BSD messages do not contain a host name. rsyslogd parses according to RFC 3164, where a hostname is required. That RFC is no standard, so it is OK to send without hostname. The bad news is that there is nothing inside the message that you can use to detect if there is a hostname present or not. The only solution I can think of is to have the ability to configure custom parsers based on e.g. the message sender. This is something that rsyslogd currently does not do. So for the time being, the BSD syslog messages will have the TAG in the HOSTNAME field. In many cases, you can probably live with that, especially if you custom-format the templates and apply them on a per-sender basis. The other alternative is to install rsyslogd on the senders, too, because that will obviously relieve you of this issue. So, I have mixed news ;) I hope it is still useful for you. Rainer On Fri, 2005-10-28 at 14:54, Dusty Hall wrote: > Rainer, > > First off, I really appreciate your help with this... > > I just got through trying both ideas but neither work :(. It seg > faulted in the same place. > > I tried running the daemon a little different here and it actually > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write it to the > log, > thoughts? > > /usr/sbin/rsyslogd -d -n -r 0 -l xxx.xxx.xxx.xxx (this version has > both > revisions applied) > > Calling selet, active file descriptors (max 12): 3 12 > > Successful select, descriptor count = 1, Activity on: 12 > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > Message length: 47, File descriptor: 12. > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct 28 07:48:38 > snort: GLOBAL CONFIG > Segmentation fault > > > server messages file: > ----- > Oct 28 07:48:38 snort: Writing PID "47582" to file > "/var/run//snort_fxp0.pid" > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf > Oct 28 07:48:38 snort: ,-----------[Flow Config]---------------------- > Oct 28 07:48:38 snort: | Stats Interval: 0 > Oct 28 07:48:38 snort: | Hash Method: 2 > Oct 28 07:48:38 snort: | Memcap: 10485760 > Oct 28 07:48:38 snort: | Rows : 4099 > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) > Oct 28 07:48:38 snort: `---------------------------------------------- > Oct 28 07:48:38 snort: HttpInspect Config: > > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> > Dusty, > > after some more testing, I am now back to thinking that the printf() > is > just a cosmetic problem. The code I was suspecting to have a bug > actually is OK. > > Anyhow, could you please replace the printf at the start of logmsg(). > The new version is: > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", > textpri(pri), flags, getRcvFrom(pMsg), msg); > > This is all on one line. Search for "logmsg:" in the code, that will > show you only the to-be-replaced line. > > I think the problem will persist after applying this patch. > > If so, I now suspect there is a problem with multithreading. It is > experimental, and that everything works well in my lab does not really > mean it will in practice. So if the bug persists, I would like you to > disable multitasking. This is easy. Just go to your Makefile and find > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run > > make clean > make > make install > > After that, rsyslogd will run in single-threading mode. Please let me > know if the error then persists, too. > > Please let me know the outcome. > > Rainer > > On Fri, 2005-10-28 at 08:46, Rainer Gerhards wrote: > > Hi Dusty, > > > > I first thought this were just a cosmetic problem with the printf. > After > > some review, I think the non-parsable hostname is really causing the > > segfault. I have to admit I am a bit puzzled this did not show up > > earlier. Anyhow, I'll see that I can do something against it today. > > > > Rainer > > > > On Fri, 2005-10-28 at 00:07, Dusty Hall wrote: > > > I'm having a problem with rsyslogd seg faulting. The daemon > (1.12.0) is > > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It > doesn't > > > seem to catch the name from the clients leading to a seg fault. > Ideas, > > > workarounds? Any help would be greatly appreciated! > > > > > > > > > -Dusty > > > > > > > > > # /usr/sbin/rsyslogd -d -r 0 -n > > > ...... > > > -1208042912: Message from UDP inetd socket: #12, host: > xxx.xxx.xxx.xxx > > > -1208042912: Message length: 46, File descriptor: 12. > > > -1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg > Oct 27 > > > 16:15:38 snort: GLOBAL CONFIG > > > Segmentation fault > > > > > > > > > server messages file contains: > > > ---------- > > > Oct 27 16:15:39 snort: ,-----------[Flow > Config]---------------------- > > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > > Oct 27 16:15:39 snort: | Hash Method: 2 > > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > > Oct 27 16:15:39 snort: | Rows : 4099 > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > > Oct 27 16:15:39 snort: > `---------------------------------------------- > > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > > > > client messages file contains: > > > --------- > > > Oct 27 10:00:03 fred snort: ,-----------[Flow > > > Config]---------------------- > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > > Oct 27 10:00:03 fred snort: > > > `---------------------------------------------- > > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > > Oct 27 10:00:03 fred snort: Inspection Type: > STATELESS > > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > > /etc/nsm/unicode.map > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > > From halljer at auburn.edu Wed Nov 9 17:53:24 2005 From: halljer at auburn.edu (Dusty Hall) Date: Wed, 09 Nov 2005 10:53:24 -0600 Subject: [rsyslog] 1.12.0 - Seg Faults In-Reply-To: <436B8DA5.8529.003A.0@auburn.edu> References: <4361D92C0200003A0000098B@groupwise1.duc.auburn.edu> <1131120055.2186.66.camel@rh9lt.intern.adiscon.com> <436B8DA5.8529.003A.0@auburn.edu> Message-ID: <4371D529.8529.003A.0@auburn.edu> Rainer, Thanks for the information. Do you know of any syslog daemons that follow the correct RFC and are in the FreeBSD ports tree? If not, I'm going the route of installing rsyslogd on the clients :). Thanks again! -Dusty >>> rgerhards at hq.adiscon.com 11/04/05 10:00 am >>> Dusty, this one via the list, because it is of potential interest for others, too. Finally, I found the bug. I have to admit I always thought into the wrong direction. Now that I got that straight, it was actually easy to spot. The actual cause is that there is a bug in the syslog TAG assignment function. To fix this, search for MsgSetTag in syslogd.c. Replace it with this code: static void MsgAssignTAG(struct msg *pMsg, char *pBuf) { assert(pMsg != NULL); pMsg- >iLenTAG = (pBuf == NULL) ? 0 : strlen(pBuf); pMsg- >pszTAG = pBuf; } That will fix the abort. HOWEVER... the root cause (as you rightly said ;)) is that the BSD messages do not contain a host name. rsyslogd parses according to RFC 3164, where a hostname is required. That RFC is no standard, so it is OK to send without hostname. The bad news is that there is nothing inside the message that you can use to detect if there is a hostname present or not. The only solution I can think of is to have the ability to configure custom parsers based on e.g. the message sender. This is something that rsyslogd currently does not do. So for the time being, the BSD syslog messages will have the TAG in the HOSTNAME field. In many cases, you can probably live with that, especially if you custom- format the templates and apply them on a per- sender basis. The other alternative is to install rsyslogd on the senders, too, because that will obviously relieve you of this issue. So, I have mixed news ;) I hope it is still useful for you. Rainer On Fri, 2005- 10- 28 at 14:54, Dusty Hall wrote: > Rainer, > > First off, I really appreciate your help with this... > > I just got through trying both ideas but neither work :(. It seg > faulted in the same place. > > I tried running the daemon a little different here and it actually > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write it to the > log, > thoughts? > > /usr/sbin/rsyslogd - d - n - r 0 - l xxx.xxx.xxx.xxx (this version has > both > revisions applied) > > Calling selet, active file descriptors (max 12): 3 12 > > Successful select, descriptor count = 1, Activity on: 12 > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > Message length: 47, File descriptor: 12. > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct 28 07:48:38 > snort: GLOBAL CONFIG > Segmentation fault > > > server messages file: > ----- > Oct 28 07:48:38 snort: Writing PID "47582" to file > "/var/run//snort_fxp0.pid" > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf > Oct 28 07:48:38 snort: ,----------- [Flow Config]---------------------- > Oct 28 07:48:38 snort: | Stats Interval: 0 > Oct 28 07:48:38 snort: | Hash Method: 2 > Oct 28 07:48:38 snort: | Memcap: 10485760 > Oct 28 07:48:38 snort: | Rows : 4099 > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) > Oct 28 07:48:38 snort: `---------------------------------------------- > Oct 28 07:48:38 snort: HttpInspect Config: > > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> > Dusty, > > after some more testing, I am now back to thinking that the printf() > is > just a cosmetic problem. The code I was suspecting to have a bug > actually is OK. > > Anyhow, could you please replace the printf at the start of logmsg(). > The new version is: > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", > textpri(pri), flags, getRcvFrom(pMsg), msg); > > This is all on one line. Search for "logmsg:" in the code, that will > show you only the to- be- replaced line. > > I think the problem will persist after applying this patch. > > If so, I now suspect there is a problem with multithreading. It is > experimental, and that everything works well in my lab does not really > mean it will in practice. So if the bug persists, I would like you to > disable multitasking. This is easy. Just go to your Makefile and find > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run > > make clean > make > make install > > After that, rsyslogd will run in single- threading mode. Please let me > know if the error then persists, too. > > Please let me know the outcome. > > Rainer > > On Fri, 2005- 10- 28 at 08:46, Rainer Gerhards wrote: > > Hi Dusty, > > > > I first thought this were just a cosmetic problem with the printf. > After > > some review, I think the non- parsable hostname is really causing the > > segfault. I have to admit I am a bit puzzled this did not show up > > earlier. Anyhow, I'll see that I can do something against it today. > > > > Rainer > > > > On Fri, 2005- 10- 28 at 00:07, Dusty Hall wrote: > > > I'm having a problem with rsyslogd seg faulting. The daemon > (1.12.0) is > > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It > doesn't > > > seem to catch the name from the clients leading to a seg fault. > Ideas, > > > workarounds? Any help would be greatly appreciated! > > > > > > > > > - Dusty > > > > > > > > > # /usr/sbin/rsyslogd - d - r 0 - n > > > ...... > > > - 1208042912: Message from UDP inetd socket: #12, host: > xxx.xxx.xxx.xxx > > > - 1208042912: Message length: 46, File descriptor: 12. > > > - 1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg > Oct 27 > > > 16:15:38 snort: GLOBAL CONFIG > > > Segmentation fault > > > > > > > > > server messages file contains: > > > ---------- > > > Oct 27 16:15:39 snort: ,----------- [Flow > Config]---------------------- > > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > > Oct 27 16:15:39 snort: | Hash Method: 2 > > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > > Oct 27 16:15:39 snort: | Rows : 4099 > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > > Oct 27 16:15:39 snort: > `---------------------------------------------- > > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > > > > client messages file contains: > > > --------- > > > Oct 27 10:00:03 fred snort: ,----------- [Flow > > > Config]---------------------- > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > > Oct 27 10:00:03 fred snort: > > > `---------------------------------------------- > > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > > Oct 27 10:00:03 fred snort: Inspection Type: > STATELESS > > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > > /etc/nsm/unicode.map > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog From rgerhards at hq.adiscon.com Wed Nov 9 21:28:47 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 9 Nov 2005 21:28:47 +0100 Subject: [rsyslog] 1.12.0 - Seg Faults Message-ID: <577465F99B41C842AAFBE9ED71E70ABAB690@grfint2.intern.adiscon.com> Dusty, Unfortunately, I do not know of any one. And I do not want to create a wrong impression: RFC 3164 is not a standard but rather an informational document. So nothing is haremd by not following it. The issue is "just" that without that header format we can not process it. I am currently involved in work at the IETF that struggles to get a standard RFC together. As it looks currently, that RFC will be very close to RFC 3164. So it is not bad to plan somewhat ahead ;) Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Dusty Hall > Sent: Wednesday, November 09, 2005 5:53 PM > To: rsyslog at lists.adiscon.com > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > > Rainer, > > Thanks for the information. Do you know of any syslog > daemons that follow the correct RFC and are in the FreeBSD > ports tree? If not, I'm going the route of installing > rsyslogd on the clients :). Thanks again! > > > -Dusty > > > >>> rgerhards at hq.adiscon.com 11/04/05 10:00 am >>> > Dusty, > > this one via the list, because it is of potential interest for others, > too. > > Finally, I found the bug. I have to admit I always thought into the > wrong direction. Now that I got that straight, it was actually easy to > spot. > > The actual cause is that there is a bug in the syslog TAG assignment > function. To fix this, search for MsgSetTag in syslogd.c. Replace it > with this code: > > static void MsgAssignTAG(struct msg *pMsg, char *pBuf) > { > assert(pMsg != NULL); > pMsg- >iLenTAG = (pBuf == NULL) ? 0 : strlen(pBuf); > pMsg- >pszTAG = pBuf; > } > > That will fix the abort. HOWEVER... the root cause (as you rightly > said > ;)) is that the BSD messages do not contain a host name. rsyslogd > parses > according to RFC 3164, where a hostname is required. That RFC is no > standard, so it is OK to send without hostname. The bad news is that > there is nothing inside the message that you can use to detect if > there > is a hostname present or not. The only solution I can think of is to > have the ability to configure custom parsers based on e.g. the message > sender. This is something that rsyslogd currently does not do. So for > the time being, the BSD syslog messages will have the TAG in the > HOSTNAME field. In many cases, you can probably live with that, > especially if you custom- format the templates and apply them on a > per- sender basis. The other alternative is to install rsyslogd on > the > senders, too, because that will obviously relieve you of this issue. > > So, I have mixed news ;) I hope it is still useful for you. > > Rainer > > On Fri, 2005- 10- 28 at 14:54, Dusty Hall wrote: > > Rainer, > > > > First off, I really appreciate your help with this... > > > > I just got through trying both ideas but neither work :(. It seg > > faulted in the same place. > > > > I tried running the daemon a little different here and it actually > > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write it to the > > log, > > thoughts? > > > > /usr/sbin/rsyslogd - d - n - r 0 - l xxx.xxx.xxx.xxx (this > version has > > both > > revisions applied) > > > > Calling selet, active file descriptors (max 12): 3 12 > > > > Successful select, descriptor count = 1, Activity on: 12 > > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > > Message length: 47, File descriptor: 12. > > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct 28 07:48:38 > > snort: GLOBAL CONFIG > > Segmentation fault > > > > > > server messages file: > > ----- > > Oct 28 07:48:38 snort: Writing PID "47582" to file > > "/var/run//snort_fxp0.pid" > > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf > > Oct 28 07:48:38 snort: ,----------- [Flow > Config]---------------------- > > Oct 28 07:48:38 snort: | Stats Interval: 0 > > Oct 28 07:48:38 snort: | Hash Method: 2 > > Oct 28 07:48:38 snort: | Memcap: 10485760 > > Oct 28 07:48:38 snort: | Rows : 4099 > > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) > > Oct 28 07:48:38 snort: > `---------------------------------------------- > > Oct 28 07:48:38 snort: HttpInspect Config: > > > > > > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> > > Dusty, > > > > after some more testing, I am now back to thinking that the printf() > > is > > just a cosmetic problem. The code I was suspecting to have a bug > > actually is OK. > > > > Anyhow, could you please replace the printf at the start of > logmsg(). > > The new version is: > > > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", > > textpri(pri), flags, getRcvFrom(pMsg), msg); > > > > This is all on one line. Search for "logmsg:" in the code, that will > > show you only the to- be- replaced line. > > > > I think the problem will persist after applying this patch. > > > > If so, I now suspect there is a problem with multithreading. It is > > experimental, and that everything works well in my lab does not > really > > mean it will in practice. So if the bug persists, I would like you > to > > disable multitasking. This is easy. Just go to your Makefile and > find > > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run > > > > make clean > > make > > make install > > > > After that, rsyslogd will run in single- threading mode. Please let > me > > know if the error then persists, too. > > > > Please let me know the outcome. > > > > Rainer > > > > On Fri, 2005- 10- 28 at 08:46, Rainer Gerhards wrote: > > > Hi Dusty, > > > > > > I first thought this were just a cosmetic problem with the printf. > > After > > > some review, I think the non- parsable hostname is really causing > the > > > segfault. I have to admit I am a bit puzzled this did not show up > > > earlier. Anyhow, I'll see that I can do something against it > today. > > > > > > Rainer > > > > > > On Fri, 2005- 10- 28 at 00:07, Dusty Hall wrote: > > > > I'm having a problem with rsyslogd seg faulting. The daemon > > (1.12.0) is > > > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It > > doesn't > > > > seem to catch the name from the clients leading to a seg fault. > > Ideas, > > > > workarounds? Any help would be greatly appreciated! > > > > > > > > > > > > - Dusty > > > > > > > > > > > > # /usr/sbin/rsyslogd - d - r 0 - n > > > > ...... > > > > - 1208042912: Message from UDP inetd socket: #12, host: > > xxx.xxx.xxx.xxx > > > > - 1208042912: Message length: 46, File descriptor: 12. > > > > - 1208042912: logmsg: daemon.notice<29>, flags 2, from (null), > msg > > Oct 27 > > > > 16:15:38 snort: GLOBAL CONFIG > > > > Segmentation fault > > > > > > > > > > > > server messages file contains: > > > > ---------- > > > > Oct 27 16:15:39 snort: ,----------- [Flow > > Config]---------------------- > > > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > > > Oct 27 16:15:39 snort: | Hash Method: 2 > > > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > > > Oct 27 16:15:39 snort: | Rows : 4099 > > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > > > Oct 27 16:15:39 snort: > > `---------------------------------------------- > > > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > > > > > > > client messages file contains: > > > > --------- > > > > Oct 27 10:00:03 fred snort: ,----------- [Flow > > > > Config]---------------------- > > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > > > Oct 27 10:00:03 fred snort: > > > > `---------------------------------------------- > > > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > > > Oct 27 10:00:03 fred snort: Inspection Type: > > STATELESS > > > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > > > /etc/nsm/unicode.map > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 > > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > From rgerhards at hq.adiscon.com Thu Nov 10 09:05:28 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Thu, 10 Nov 2005 09:05:28 +0100 Subject: [rsyslog] 1.12.0 - Seg Faults Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3DD4@grfint2.intern.adiscon.com> Dusty, I think I replied too soon ;) I've had another round of hard thinking on the parsing issue. Though I do not yet have anything definite, I have the impression that there is a way to make the parser smart enough to handle BSD messages. So if you can wait a little longer, it might be wise to do so... On the route to the solution a question: The non-BSD systems you have: are they using rsyslogd or any other syslogd? Basically, I am interested to know if their messages contain the hostname and, if so, if the message was generated by rsyslog (one of the solution I have in mind is an extension that would only work if the hostnames are only present in messages sent from rsyslog). Feedback appreciated. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of > Rainer Gerhards > Sent: Wednesday, November 09, 2005 9:29 PM > To: rsyslog-users > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > Dusty, > > Unfortunately, I do not know of any one. And I do not want to create a > wrong impression: RFC 3164 is not a standard but rather an > informational > document. So nothing is haremd by not following it. The issue > is "just" > that without that header format we can not process it. I am currently > involved in work at the IETF that struggles to get a standard RFC > together. As it looks currently, that RFC will be very close to RFC > 3164. So it is not bad to plan somewhat ahead ;) > > Rainer > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com > > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Dusty Hall > > Sent: Wednesday, November 09, 2005 5:53 PM > > To: rsyslog at lists.adiscon.com > > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > > > > > Rainer, > > > > Thanks for the information. Do you know of any syslog > > daemons that follow the correct RFC and are in the FreeBSD > > ports tree? If not, I'm going the route of installing > > rsyslogd on the clients :). Thanks again! > > > > > > -Dusty > > > > > > >>> rgerhards at hq.adiscon.com 11/04/05 10:00 am >>> > > Dusty, > > > > this one via the list, because it is of potential interest > for others, > > too. > > > > Finally, I found the bug. I have to admit I always thought into the > > wrong direction. Now that I got that straight, it was > actually easy to > > spot. > > > > The actual cause is that there is a bug in the syslog TAG assignment > > function. To fix this, search for MsgSetTag in syslogd.c. Replace it > > with this code: > > > > static void MsgAssignTAG(struct msg *pMsg, char *pBuf) > > { > > assert(pMsg != NULL); > > pMsg- >iLenTAG = (pBuf == NULL) ? 0 : strlen(pBuf); > > pMsg- >pszTAG = pBuf; > > } > > > > That will fix the abort. HOWEVER... the root cause (as you rightly > > said > > ;)) is that the BSD messages do not contain a host name. rsyslogd > > parses > > according to RFC 3164, where a hostname is required. That RFC is no > > standard, so it is OK to send without hostname. The bad news is that > > there is nothing inside the message that you can use to detect if > > there > > is a hostname present or not. The only solution I can think of is to > > have the ability to configure custom parsers based on e.g. > the message > > sender. This is something that rsyslogd currently does not > do. So for > > the time being, the BSD syslog messages will have the TAG in the > > HOSTNAME field. In many cases, you can probably live with that, > > especially if you custom- format the templates and apply them on a > > per- sender basis. The other alternative is to install rsyslogd on > > the > > senders, too, because that will obviously relieve you of this issue. > > > > So, I have mixed news ;) I hope it is still useful for you. > > > > Rainer > > > > On Fri, 2005- 10- 28 at 14:54, Dusty Hall wrote: > > > Rainer, > > > > > > First off, I really appreciate your help with this... > > > > > > I just got through trying both ideas but neither work > :(. It seg > > > faulted in the same place. > > > > > > I tried running the daemon a little different here and > it actually > > > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write > it to the > > > log, > > > thoughts? > > > > > > /usr/sbin/rsyslogd - d - n - r 0 - l xxx.xxx.xxx.xxx (this > > version has > > > both > > > revisions applied) > > > > > > Calling selet, active file descriptors (max 12): 3 12 > > > > > > Successful select, descriptor count = 1, Activity on: 12 > > > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > > > Message length: 47, File descriptor: 12. > > > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct > 28 07:48:38 > > > snort: GLOBAL CONFIG > > > Segmentation fault > > > > > > > > > server messages file: > > > ----- > > > Oct 28 07:48:38 snort: Writing PID "47582" to file > > > "/var/run//snort_fxp0.pid" > > > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf > > > Oct 28 07:48:38 snort: ,----------- [Flow > > Config]---------------------- > > > Oct 28 07:48:38 snort: | Stats Interval: 0 > > > Oct 28 07:48:38 snort: | Hash Method: 2 > > > Oct 28 07:48:38 snort: | Memcap: 10485760 > > > Oct 28 07:48:38 snort: | Rows : 4099 > > > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) > > > Oct 28 07:48:38 snort: > > `---------------------------------------------- > > > Oct 28 07:48:38 snort: HttpInspect Config: > > > > > > > > > > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> > > > Dusty, > > > > > > after some more testing, I am now back to thinking that > the printf() > > > is > > > just a cosmetic problem. The code I was suspecting to have a bug > > > actually is OK. > > > > > > Anyhow, could you please replace the printf at the start of > > logmsg(). > > > The new version is: > > > > > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", > > > textpri(pri), flags, getRcvFrom(pMsg), msg); > > > > > > This is all on one line. Search for "logmsg:" in the > code, that will > > > show you only the to- be- replaced line. > > > > > > I think the problem will persist after applying this patch. > > > > > > If so, I now suspect there is a problem with multithreading. It is > > > experimental, and that everything works well in my lab does not > > really > > > mean it will in practice. So if the bug persists, I would like you > > to > > > disable multitasking. This is easy. Just go to your Makefile and > > find > > > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run > > > > > > make clean > > > make > > > make install > > > > > > After that, rsyslogd will run in single- threading mode. > Please let > > me > > > know if the error then persists, too. > > > > > > Please let me know the outcome. > > > > > > Rainer > > > > > > On Fri, 2005- 10- 28 at 08:46, Rainer Gerhards wrote: > > > > Hi Dusty, > > > > > > > > I first thought this were just a cosmetic problem with > the printf. > > > After > > > > some review, I think the non- parsable hostname is > really causing > > the > > > > segfault. I have to admit I am a bit puzzled this did > not show up > > > > earlier. Anyhow, I'll see that I can do something against it > > today. > > > > > > > > Rainer > > > > > > > > On Fri, 2005- 10- 28 at 00:07, Dusty Hall wrote: > > > > > I'm having a problem with rsyslogd seg faulting. The daemon > > > (1.12.0) is > > > > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It > > > doesn't > > > > > seem to catch the name from the clients leading to a > seg fault. > > > Ideas, > > > > > workarounds? Any help would be greatly appreciated! > > > > > > > > > > > > > > > - Dusty > > > > > > > > > > > > > > > # /usr/sbin/rsyslogd - d - r 0 - n > > > > > ...... > > > > > - 1208042912: Message from UDP inetd socket: #12, host: > > > xxx.xxx.xxx.xxx > > > > > - 1208042912: Message length: 46, File descriptor: 12. > > > > > - 1208042912: logmsg: daemon.notice<29>, flags 2, > from (null), > > msg > > > Oct 27 > > > > > 16:15:38 snort: GLOBAL CONFIG > > > > > Segmentation fault > > > > > > > > > > > > > > > server messages file contains: > > > > > ---------- > > > > > Oct 27 16:15:39 snort: ,----------- [Flow > > > Config]---------------------- > > > > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > > > > Oct 27 16:15:39 snort: | Hash Method: 2 > > > > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > > > > Oct 27 16:15:39 snort: | Rows : 4099 > > > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > > > > Oct 27 16:15:39 snort: > > > `---------------------------------------------- > > > > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > > > > > > > > > > client messages file contains: > > > > > --------- > > > > > Oct 27 10:00:03 fred snort: ,----------- [Flow > > > > > Config]---------------------- > > > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > > > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > > > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > > > > Oct 27 10:00:03 fred snort: > > > > > `---------------------------------------------- > > > > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > > > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > > > > Oct 27 10:00:03 fred snort: Inspection Type: > > > STATELESS > > > > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > > > > /etc/nsm/unicode.map > > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map > Codepage: 1252 > > > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > rsyslog mailing list > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > From rgerhards at hq.adiscon.com Thu Nov 10 09:38:07 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Thu, 10 Nov 2005 09:38:07 +0100 Subject: [rsyslog] 1.12.0 - Seg Faults In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA0E3DD4@grfint2.intern.adiscon.com> References: <577465F99B41C842AAFBE9ED71E70ABA0E3DD4@grfint2.intern.adiscon.com> Message-ID: <1131611887.2188.4.camel@rh9lt.intern.adiscon.com> Dusty, actually, now that I had thought about what can be done, implementing it was straightforward (surprisingly easy actually). Sometimes it pays to think a little bit harder ;) Anyhow... While it works in my lab, there is a certain part of guesswork involved. I am not sure if it will work in your environment. I will send you an updated syslogd.c via private mail, I'd appreciate if you could give it a try. Rainer On Thu, 2005-11-10 at 09:05, Rainer Gerhards wrote: > Dusty, > > I think I replied too soon ;) I've had another round of hard thinking on > the parsing issue. Though I do not yet have anything definite, I have > the impression that there is a way to make the parser smart enough to > handle BSD messages. So if you can wait a little longer, it might be > wise to do so... > > On the route to the solution a question: The non-BSD systems you have: > are they using rsyslogd or any other syslogd? Basically, I am interested > to know if their messages contain the hostname and, if so, if the > message was generated by rsyslog (one of the solution I have in mind is > an extension that would only work if the hostnames are only present in > messages sent from rsyslog). > > Feedback appreciated. > > Rainer > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com > > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of > > Rainer Gerhards > > Sent: Wednesday, November 09, 2005 9:29 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > > > Dusty, > > > > Unfortunately, I do not know of any one. And I do not want to create a > > wrong impression: RFC 3164 is not a standard but rather an > > informational > > document. So nothing is haremd by not following it. The issue > > is "just" > > that without that header format we can not process it. I am currently > > involved in work at the IETF that struggles to get a standard RFC > > together. As it looks currently, that RFC will be very close to RFC > > 3164. So it is not bad to plan somewhat ahead ;) > > > > Rainer > > > > > -----Original Message----- > > > From: rsyslog-bounces at lists.adiscon.com > > > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Dusty Hall > > > Sent: Wednesday, November 09, 2005 5:53 PM > > > To: rsyslog at lists.adiscon.com > > > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > > > > > > > > Rainer, > > > > > > Thanks for the information. Do you know of any syslog > > > daemons that follow the correct RFC and are in the FreeBSD > > > ports tree? If not, I'm going the route of installing > > > rsyslogd on the clients :). Thanks again! > > > > > > > > > -Dusty > > > > > > > > > >>> rgerhards at hq.adiscon.com 11/04/05 10:00 am >>> > > > Dusty, > > > > > > this one via the list, because it is of potential interest > > for others, > > > too. > > > > > > Finally, I found the bug. I have to admit I always thought into the > > > wrong direction. Now that I got that straight, it was > > actually easy to > > > spot. > > > > > > The actual cause is that there is a bug in the syslog TAG assignment > > > function. To fix this, search for MsgSetTag in syslogd.c. Replace it > > > with this code: > > > > > > static void MsgAssignTAG(struct msg *pMsg, char *pBuf) > > > { > > > assert(pMsg != NULL); > > > pMsg- >iLenTAG = (pBuf == NULL) ? 0 : strlen(pBuf); > > > pMsg- >pszTAG = pBuf; > > > } > > > > > > That will fix the abort. HOWEVER... the root cause (as you rightly > > > said > > > ;)) is that the BSD messages do not contain a host name. rsyslogd > > > parses > > > according to RFC 3164, where a hostname is required. That RFC is no > > > standard, so it is OK to send without hostname. The bad news is that > > > there is nothing inside the message that you can use to detect if > > > there > > > is a hostname present or not. The only solution I can think of is to > > > have the ability to configure custom parsers based on e.g. > > the message > > > sender. This is something that rsyslogd currently does not > > do. So for > > > the time being, the BSD syslog messages will have the TAG in the > > > HOSTNAME field. In many cases, you can probably live with that, > > > especially if you custom- format the templates and apply them on a > > > per- sender basis. The other alternative is to install rsyslogd on > > > the > > > senders, too, because that will obviously relieve you of this issue. > > > > > > So, I have mixed news ;) I hope it is still useful for you. > > > > > > Rainer > > > > > > On Fri, 2005- 10- 28 at 14:54, Dusty Hall wrote: > > > > Rainer, > > > > > > > > First off, I really appreciate your help with this... > > > > > > > > I just got through trying both ideas but neither work > > :(. It seg > > > > faulted in the same place. > > > > > > > > I tried running the daemon a little different here and > > it actually > > > > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write > > it to the > > > > log, > > > > thoughts? > > > > > > > > /usr/sbin/rsyslogd - d - n - r 0 - l xxx.xxx.xxx.xxx (this > > > version has > > > > both > > > > revisions applied) > > > > > > > > Calling selet, active file descriptors (max 12): 3 12 > > > > > > > > Successful select, descriptor count = 1, Activity on: 12 > > > > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > > > > Message length: 47, File descriptor: 12. > > > > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct > > 28 07:48:38 > > > > snort: GLOBAL CONFIG > > > > Segmentation fault > > > > > > > > > > > > server messages file: > > > > ----- > > > > Oct 28 07:48:38 snort: Writing PID "47582" to file > > > > "/var/run//snort_fxp0.pid" > > > > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf > > > > Oct 28 07:48:38 snort: ,----------- [Flow > > > Config]---------------------- > > > > Oct 28 07:48:38 snort: | Stats Interval: 0 > > > > Oct 28 07:48:38 snort: | Hash Method: 2 > > > > Oct 28 07:48:38 snort: | Memcap: 10485760 > > > > Oct 28 07:48:38 snort: | Rows : 4099 > > > > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) > > > > Oct 28 07:48:38 snort: > > > `---------------------------------------------- > > > > Oct 28 07:48:38 snort: HttpInspect Config: > > > > > > > > > > > > > > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> > > > > Dusty, > > > > > > > > after some more testing, I am now back to thinking that > > the printf() > > > > is > > > > just a cosmetic problem. The code I was suspecting to have a bug > > > > actually is OK. > > > > > > > > Anyhow, could you please replace the printf at the start of > > > logmsg(). > > > > The new version is: > > > > > > > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", > > > > textpri(pri), flags, getRcvFrom(pMsg), msg); > > > > > > > > This is all on one line. Search for "logmsg:" in the > > code, that will > > > > show you only the to- be- replaced line. > > > > > > > > I think the problem will persist after applying this patch. > > > > > > > > If so, I now suspect there is a problem with multithreading. It is > > > > experimental, and that everything works well in my lab does not > > > really > > > > mean it will in practice. So if the bug persists, I would like you > > > to > > > > disable multitasking. This is easy. Just go to your Makefile and > > > find > > > > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run > > > > > > > > make clean > > > > make > > > > make install > > > > > > > > After that, rsyslogd will run in single- threading mode. > > Please let > > > me > > > > know if the error then persists, too. > > > > > > > > Please let me know the outcome. > > > > > > > > Rainer > > > > > > > > On Fri, 2005- 10- 28 at 08:46, Rainer Gerhards wrote: > > > > > Hi Dusty, > > > > > > > > > > I first thought this were just a cosmetic problem with > > the printf. > > > > After > > > > > some review, I think the non- parsable hostname is > > really causing > > > the > > > > > segfault. I have to admit I am a bit puzzled this did > > not show up > > > > > earlier. Anyhow, I'll see that I can do something against it > > > today. > > > > > > > > > > Rainer > > > > > > > > > > On Fri, 2005- 10- 28 at 00:07, Dusty Hall wrote: > > > > > > I'm having a problem with rsyslogd seg faulting. The daemon > > > > (1.12.0) is > > > > > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It > > > > doesn't > > > > > > seem to catch the name from the clients leading to a > > seg fault. > > > > Ideas, > > > > > > workarounds? Any help would be greatly appreciated! > > > > > > > > > > > > > > > > > > - Dusty > > > > > > > > > > > > > > > > > > # /usr/sbin/rsyslogd - d - r 0 - n > > > > > > ...... > > > > > > - 1208042912: Message from UDP inetd socket: #12, host: > > > > xxx.xxx.xxx.xxx > > > > > > - 1208042912: Message length: 46, File descriptor: 12. > > > > > > - 1208042912: logmsg: daemon.notice<29>, flags 2, > > from (null), > > > msg > > > > Oct 27 > > > > > > 16:15:38 snort: GLOBAL CONFIG > > > > > > Segmentation fault > > > > > > > > > > > > > > > > > > server messages file contains: > > > > > > ---------- > > > > > > Oct 27 16:15:39 snort: ,----------- [Flow > > > > Config]---------------------- > > > > > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > > > > > Oct 27 16:15:39 snort: | Hash Method: 2 > > > > > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > > > > > Oct 27 16:15:39 snort: | Rows : 4099 > > > > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > > > > > Oct 27 16:15:39 snort: > > > > `---------------------------------------------- > > > > > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > > > > > > > > > > > > > client messages file contains: > > > > > > --------- > > > > > > Oct 27 10:00:03 fred snort: ,----------- [Flow > > > > > > Config]---------------------- > > > > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > > > > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > > > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > > > > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > > > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > > > > > Oct 27 10:00:03 fred snort: > > > > > > `---------------------------------------------- > > > > > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > > > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > > > > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > > > > > Oct 27 10:00:03 fred snort: Inspection Type: > > > > STATELESS > > > > > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > > > > > /etc/nsm/unicode.map > > > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map > > Codepage: 1252 > > > > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > rsyslog mailing list > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > > _______________________________________________ > > > > > rsyslog mailing list > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog From rgerhards at hq.adiscon.com Mon Nov 14 14:56:24 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Mon, 14 Nov 2005 14:56:24 +0100 Subject: [rsyslog] rsyslog 1.0.3 released (stable branch) Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3E24@grfint2.intern.adiscon.com> Dear all, I have just released rsyslog 1.0.3, a maintenance release for the stable branch. It contains a number of important fixes which have been trialed in the development branch, first. There are no new features. This release is meant for all those interested in keeping their stable branch rsyslogd up to date. Please note that it does offer considerably less features than the current development branch. So this is not an update for users of the development branch. The change log can be found at http://www.rsyslog.com/Article49.phtml I hope this work is useful. Rainer Gerhards From viktorija at oic.lv Tue Nov 15 10:59:51 2005 From: viktorija at oic.lv (Viktorija) Date: Tue, 15 Nov 2005 11:59:51 +0200 Subject: [rsyslog] logs to mysql database Message-ID: <20051115115951.40526edc.viktorija@oic.lv> Hello, am newbie in rsyslog. So please try understand me :) I have following problem/task/wish. I want all incoming logs from servers insert to mysql. Ok that's not a problem, but i want merge logs by hostnames and insert each log from one hostname to $hostname table. It is something like log sorting by hostname only to sql tables. I think it is possible with templates, but not sure. Maybe somebody could give me a right way how to do it. If it's possible of course :) Thanks, Viktorija From rgerhards at hq.adiscon.com Tue Nov 15 11:21:49 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 15 Nov 2005 11:21:49 +0100 Subject: [rsyslog] logs to mysql database Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3E31@grfint2.intern.adiscon.com> I think it is doable, but it probably is a bit dangerous. I am also not sure if MySQL allows you to define tables named like hostnames. Could you please let me know some hostnames of yours (maybe samples, I am just interested in the actual structure) as well as some matching IP addresses. I'll then see what I can do... Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Viktorija > Sent: Tuesday, November 15, 2005 11:00 AM > To: rsyslog at lists.adiscon.com > Subject: [rsyslog] logs to mysql database > > Hello, > > am newbie in rsyslog. So please try understand me :) > I have following problem/task/wish. > I want all incoming logs from servers insert to mysql. Ok > that's not a problem, but i want merge logs by hostnames and > insert each log from one hostname to $hostname table. It is > something like log sorting by hostname only to sql tables. > I think it is possible with templates, but not sure. > Maybe somebody could give me a right way how to do it. If > it's possible of course :) > > > Thanks, > Viktorija > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > From viktorija at oic.lv Tue Nov 15 11:36:40 2005 From: viktorija at oic.lv (Viktorija) Date: Tue, 15 Nov 2005 12:36:40 +0200 Subject: [rsyslog] logs to mysql database In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA0E3E31@grfint2.intern.adiscon.com> References: <577465F99B41C842AAFBE9ED71E70ABA0E3E31@grfint2.intern.adiscon.com> Message-ID: <20051115123640.02ff1347.viktorija@oic.lv> I have standard names not something special :) I have hostnames like: sun, liberatio, nafig, pofig, nefig an so on :) Oh, ip addresses are virtual so it will not give you any additional information. Do you think it is possible to make with templates? Or another way? Viktorija On Tue, 15 Nov 2005 11:21:49 +0100 "Rainer Gerhards" wrote: > I think it is doable, but it probably is a bit dangerous. I am also not > sure if MySQL allows you to define tables named like hostnames. Could > you please let me know some hostnames of yours (maybe samples, I am just > interested in the actual structure) as well as some matching IP > addresses. I'll then see what I can do... > > Rainer > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com > > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Viktorija > > Sent: Tuesday, November 15, 2005 11:00 AM > > To: rsyslog at lists.adiscon.com > > Subject: [rsyslog] logs to mysql database > > > > Hello, > > > > am newbie in rsyslog. So please try understand me :) > > I have following problem/task/wish. > > I want all incoming logs from servers insert to mysql. Ok > > that's not a problem, but i want merge logs by hostnames and > > insert each log from one hostname to $hostname table. It is > > something like log sorting by hostname only to sql tables. > > I think it is possible with templates, but not sure. > > Maybe somebody could give me a right way how to do it. If > > it's possible of course :) > > > > > > Thanks, > > Viktorija > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > > From rgerhards at hq.adiscon.com Tue Nov 15 17:32:14 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 15 Nov 2005 17:32:14 +0100 Subject: [rsyslog] 1.12.0 - Seg Faults Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3E44@grfint2.intern.adiscon.com> An update to the mailing list: I have worked with Dusty on further improvements of the algorithm. As it looks currently, the new algo properly detects messages without hostnames in them and processes them accordingly. Currently, this functionality is only available via the CVS server. I plan to release an official package some time next week, which will then include that functionality. In the mean time, use anonymous CVS. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of > Rainer Gerhards > Sent: Thursday, November 10, 2005 9:38 AM > To: rsyslog-users > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > Dusty, > > actually, now that I had thought about what can be done, > implementing it > was straightforward (surprisingly easy actually). Sometimes it pays to > think a little bit harder ;) > > Anyhow... While it works in my lab, there is a certain part > of guesswork > involved. I am not sure if it will work in your environment. > I will send > you an updated syslogd.c via private mail, I'd appreciate if you could > give it a try. > > Rainer > On Thu, 2005-11-10 at 09:05, Rainer Gerhards wrote: > > Dusty, > > > > I think I replied too soon ;) I've had another round of > hard thinking on > > the parsing issue. Though I do not yet have anything > definite, I have > > the impression that there is a way to make the parser smart > enough to > > handle BSD messages. So if you can wait a little longer, it might be > > wise to do so... > > > > On the route to the solution a question: The non-BSD > systems you have: > > are they using rsyslogd or any other syslogd? Basically, I > am interested > > to know if their messages contain the hostname and, if so, if the > > message was generated by rsyslog (one of the solution I > have in mind is > > an extension that would only work if the hostnames are only > present in > > messages sent from rsyslog). > > > > Feedback appreciated. > > > > Rainer > > > > > -----Original Message----- > > > From: rsyslog-bounces at lists.adiscon.com > > > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of > > > Rainer Gerhards > > > Sent: Wednesday, November 09, 2005 9:29 PM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > > > > > Dusty, > > > > > > Unfortunately, I do not know of any one. And I do not > want to create a > > > wrong impression: RFC 3164 is not a standard but rather an > > > informational > > > document. So nothing is haremd by not following it. The issue > > > is "just" > > > that without that header format we can not process it. I > am currently > > > involved in work at the IETF that struggles to get a standard RFC > > > together. As it looks currently, that RFC will be very > close to RFC > > > 3164. So it is not bad to plan somewhat ahead ;) > > > > > > Rainer > > > > > > > -----Original Message----- > > > > From: rsyslog-bounces at lists.adiscon.com > > > > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of > Dusty Hall > > > > Sent: Wednesday, November 09, 2005 5:53 PM > > > > To: rsyslog at lists.adiscon.com > > > > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > > > > > > > > > > > Rainer, > > > > > > > > Thanks for the information. Do you know of any syslog > > > > daemons that follow the correct RFC and are in the FreeBSD > > > > ports tree? If not, I'm going the route of installing > > > > rsyslogd on the clients :). Thanks again! > > > > > > > > > > > > -Dusty > > > > > > > > > > > > >>> rgerhards at hq.adiscon.com 11/04/05 10:00 am >>> > > > > Dusty, > > > > > > > > this one via the list, because it is of potential interest > > > for others, > > > > too. > > > > > > > > Finally, I found the bug. I have to admit I always > thought into the > > > > wrong direction. Now that I got that straight, it was > > > actually easy to > > > > spot. > > > > > > > > The actual cause is that there is a bug in the syslog > TAG assignment > > > > function. To fix this, search for MsgSetTag in > syslogd.c. Replace it > > > > with this code: > > > > > > > > static void MsgAssignTAG(struct msg *pMsg, char *pBuf) > > > > { > > > > assert(pMsg != NULL); > > > > pMsg- >iLenTAG = (pBuf == NULL) ? 0 : strlen(pBuf); > > > > pMsg- >pszTAG = pBuf; > > > > } > > > > > > > > That will fix the abort. HOWEVER... the root cause (as > you rightly > > > > said > > > > ;)) is that the BSD messages do not contain a host > name. rsyslogd > > > > parses > > > > according to RFC 3164, where a hostname is required. > That RFC is no > > > > standard, so it is OK to send without hostname. The bad > news is that > > > > there is nothing inside the message that you can use to > detect if > > > > there > > > > is a hostname present or not. The only solution I can > think of is to > > > > have the ability to configure custom parsers based on e.g. > > > the message > > > > sender. This is something that rsyslogd currently does not > > > do. So for > > > > the time being, the BSD syslog messages will have the TAG in the > > > > HOSTNAME field. In many cases, you can probably live with that, > > > > especially if you custom- format the templates and > apply them on a > > > > per- sender basis. The other alternative is to install > rsyslogd on > > > > the > > > > senders, too, because that will obviously relieve you > of this issue. > > > > > > > > So, I have mixed news ;) I hope it is still useful for you. > > > > > > > > Rainer > > > > > > > > On Fri, 2005- 10- 28 at 14:54, Dusty Hall wrote: > > > > > Rainer, > > > > > > > > > > First off, I really appreciate your help with this... > > > > > > > > > > I just got through trying both ideas but neither work > > > :(. It seg > > > > > faulted in the same place. > > > > > > > > > > I tried running the daemon a little different here and > > > it actually > > > > > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write > > > it to the > > > > > log, > > > > > thoughts? > > > > > > > > > > /usr/sbin/rsyslogd - d - n - r 0 - l > xxx.xxx.xxx.xxx (this > > > > version has > > > > > both > > > > > revisions applied) > > > > > > > > > > Calling selet, active file descriptors (max 12): 3 12 > > > > > > > > > > Successful select, descriptor count = 1, Activity on: 12 > > > > > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > > > > > Message length: 47, File descriptor: 12. > > > > > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct > > > 28 07:48:38 > > > > > snort: GLOBAL CONFIG > > > > > Segmentation fault > > > > > > > > > > > > > > > server messages file: > > > > > ----- > > > > > Oct 28 07:48:38 snort: Writing PID "47582" to file > > > > > "/var/run//snort_fxp0.pid" > > > > > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf > > > > > Oct 28 07:48:38 snort: ,----------- [Flow > > > > Config]---------------------- > > > > > Oct 28 07:48:38 snort: | Stats Interval: 0 > > > > > Oct 28 07:48:38 snort: | Hash Method: 2 > > > > > Oct 28 07:48:38 snort: | Memcap: 10485760 > > > > > Oct 28 07:48:38 snort: | Rows : 4099 > > > > > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) > > > > > Oct 28 07:48:38 snort: > > > > `---------------------------------------------- > > > > > Oct 28 07:48:38 snort: HttpInspect Config: > > > > > > > > > > > > > > > > > > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> > > > > > Dusty, > > > > > > > > > > after some more testing, I am now back to thinking that > > > the printf() > > > > > is > > > > > just a cosmetic problem. The code I was suspecting to > have a bug > > > > > actually is OK. > > > > > > > > > > Anyhow, could you please replace the printf at the start of > > > > logmsg(). > > > > > The new version is: > > > > > > > > > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", > > > > > textpri(pri), flags, getRcvFrom(pMsg), msg); > > > > > > > > > > This is all on one line. Search for "logmsg:" in the > > > code, that will > > > > > show you only the to- be- replaced line. > > > > > > > > > > I think the problem will persist after applying this patch. > > > > > > > > > > If so, I now suspect there is a problem with > multithreading. It is > > > > > experimental, and that everything works well in my > lab does not > > > > really > > > > > mean it will in practice. So if the bug persists, I > would like you > > > > to > > > > > disable multitasking. This is easy. Just go to your > Makefile and > > > > find > > > > > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run > > > > > > > > > > make clean > > > > > make > > > > > make install > > > > > > > > > > After that, rsyslogd will run in single- threading mode. > > > Please let > > > > me > > > > > know if the error then persists, too. > > > > > > > > > > Please let me know the outcome. > > > > > > > > > > Rainer > > > > > > > > > > On Fri, 2005- 10- 28 at 08:46, Rainer Gerhards wrote: > > > > > > Hi Dusty, > > > > > > > > > > > > I first thought this were just a cosmetic problem with > > > the printf. > > > > > After > > > > > > some review, I think the non- parsable hostname is > > > really causing > > > > the > > > > > > segfault. I have to admit I am a bit puzzled this did > > > not show up > > > > > > earlier. Anyhow, I'll see that I can do something against it > > > > today. > > > > > > > > > > > > Rainer > > > > > > > > > > > > On Fri, 2005- 10- 28 at 00:07, Dusty Hall wrote: > > > > > > > I'm having a problem with rsyslogd seg faulting. > The daemon > > > > > (1.12.0) is > > > > > > > running on RHEL 4 and the clients are FreeBSD 4.x > & 5.x. It > > > > > doesn't > > > > > > > seem to catch the name from the clients leading to a > > > seg fault. > > > > > Ideas, > > > > > > > workarounds? Any help would be greatly appreciated! > > > > > > > > > > > > > > > > > > > > > - Dusty > > > > > > > > > > > > > > > > > > > > > # /usr/sbin/rsyslogd - d - r 0 - n > > > > > > > ...... > > > > > > > - 1208042912: Message from UDP inetd socket: #12, host: > > > > > xxx.xxx.xxx.xxx > > > > > > > - 1208042912: Message length: 46, File descriptor: 12. > > > > > > > - 1208042912: logmsg: daemon.notice<29>, flags 2, > > > from (null), > > > > msg > > > > > Oct 27 > > > > > > > 16:15:38 snort: GLOBAL CONFIG > > > > > > > Segmentation fault > > > > > > > > > > > > > > > > > > > > > server messages file contains: > > > > > > > ---------- > > > > > > > Oct 27 16:15:39 snort: ,----------- [Flow > > > > > Config]---------------------- > > > > > > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > > > > > > Oct 27 16:15:39 snort: | Hash Method: 2 > > > > > > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > > > > > > Oct 27 16:15:39 snort: | Rows : 4099 > > > > > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > > > > > > Oct 27 16:15:39 snort: > > > > > `---------------------------------------------- > > > > > > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > > > > > > > > > > > > > > > > client messages file contains: > > > > > > > --------- > > > > > > > Oct 27 10:00:03 fred snort: ,----------- [Flow > > > > > > > Config]---------------------- > > > > > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > > > > > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > > > > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > > > > > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > > > > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: > 32800(%0.31) > > > > > > > Oct 27 10:00:03 fred snort: > > > > > > > `---------------------------------------------- > > > > > > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > > > > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > > > > > > Oct 27 10:00:03 fred snort: Max Pipeline > Requests: 0 > > > > > > > Oct 27 10:00:03 fred snort: Inspection Type: > > > > > STATELESS > > > > > > > Oct 27 10:00:03 fred snort: Detect Proxy > Usage: NO > > > > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map > Filename: > > > > > > > /etc/nsm/unicode.map > > > > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map > > > Codepage: 1252 > > > > > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > rsyslog mailing list > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > > > > _______________________________________________ > > > > > > rsyslog mailing list > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > > _______________________________________________ > > > > > rsyslog mailing list > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > > _______________________________________________ > > > > > rsyslog mailing list > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > From rgerhards at hq.adiscon.com Wed Nov 23 12:47:52 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 23 Nov 2005 12:47:52 +0100 Subject: [rsyslog] rsyslog 1.12.1 released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3EF2@grfint2.intern.adiscon.com> Hi all, I am glad to announce rsyslog 1.12.1. This release features a much-enhanced message parser which is capable of better understanding different syslog message formats. For example, BSD syslogd (and others) does not include a host name inside the message. With 1.12.1, an algorithm is used to detect whether or not the hostname is present and the parsed fields are adjusted accordingly. This makes it much easier to integrate rsyslogd into an environment with other syslog senders. Also, threading support for BSD has been completed and a number of bugs have been fixed. For users of the development branch, I suggest upgrading to this release. The change log can be found at http://www.rsyslog.com/Article51.phtml The download can be found at http://www.rsyslog.com/Downloads-index-req-getit-lid-25.phtml I hope this work is useful, Rainer Gerhards From rgerhards at hq.adiscon.com Wed Nov 2 09:19:39 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 2 Nov 2005 09:19:39 +0100 Subject: [rsyslog] 1.12.0 - Seg Faults Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3D29@grfint2.intern.adiscon.com> Dusty, sorry for the late reply, I actually overlooked the message :( I think I need to set up a new lab. Looks like it actually has to do with the message content. I've no indication from the code review, but obviously there must be a bug hiding ;) I am not sure if I can do the lab today as I am working on some really pressing things... Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Dusty Hall > Sent: Friday, October 28, 2005 2:54 PM > To: rsyslog at lists.adiscon.com > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > Rainer, > > First off, I really appreciate your help with this... > > I just got through trying both ideas but neither work :(. It seg > faulted in the same place. > > I tried running the daemon a little different here and it actually > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write it > to the log, > thoughts? > > /usr/sbin/rsyslogd -d -n -r 0 -l xxx.xxx.xxx.xxx (this > version has both > revisions applied) > > Calling selet, active file descriptors (max 12): 3 12 > > Successful select, descriptor count = 1, Activity on: 12 > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > Message length: 47, File descriptor: 12. > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct 28 07:48:38 > snort: GLOBAL CONFIG > Segmentation fault > > > server messages file: > ----- > Oct 28 07:48:38 snort: Writing PID "47582" to file > "/var/run//snort_fxp0.pid" > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf > Oct 28 07:48:38 snort: ,-----------[Flow > Config]---------------------- > Oct 28 07:48:38 snort: | Stats Interval: 0 > Oct 28 07:48:38 snort: | Hash Method: 2 > Oct 28 07:48:38 snort: | Memcap: 10485760 > Oct 28 07:48:38 snort: | Rows : 4099 > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) > Oct 28 07:48:38 snort: > `---------------------------------------------- > Oct 28 07:48:38 snort: HttpInspect Config: > > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> > Dusty, > > after some more testing, I am now back to thinking that the > printf() is > just a cosmetic problem. The code I was suspecting to have a bug > actually is OK. > > Anyhow, could you please replace the printf at the start of logmsg(). > The new version is: > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", > textpri(pri), flags, getRcvFrom(pMsg), msg); > > This is all on one line. Search for "logmsg:" in the code, that will > show you only the to-be-replaced line. > > I think the problem will persist after applying this patch. > > If so, I now suspect there is a problem with multithreading. It is > experimental, and that everything works well in my lab does not really > mean it will in practice. So if the bug persists, I would like you to > disable multitasking. This is easy. Just go to your Makefile and find > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run > > make clean > make > make install > > After that, rsyslogd will run in single-threading mode. Please let me > know if the error then persists, too. > > Please let me know the outcome. > > Rainer > > On Fri, 2005-10-28 at 08:46, Rainer Gerhards wrote: > > Hi Dusty, > > > > I first thought this were just a cosmetic problem with the printf. > After > > some review, I think the non-parsable hostname is really causing the > > segfault. I have to admit I am a bit puzzled this did not show up > > earlier. Anyhow, I'll see that I can do something against it today. > > > > Rainer > > > > On Fri, 2005-10-28 at 00:07, Dusty Hall wrote: > > > I'm having a problem with rsyslogd seg faulting. The daemon > (1.12.0) is > > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. > It doesn't > > > seem to catch the name from the clients leading to a seg fault. > Ideas, > > > workarounds? Any help would be greatly appreciated! > > > > > > > > > -Dusty > > > > > > > > > # /usr/sbin/rsyslogd -d -r 0 -n > > > ...... > > > -1208042912: Message from UDP inetd socket: #12, host: > xxx.xxx.xxx.xxx > > > -1208042912: Message length: 46, File descriptor: 12. > > > -1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg > Oct 27 > > > 16:15:38 snort: GLOBAL CONFIG > > > Segmentation fault > > > > > > > > > server messages file contains: > > > ---------- > > > Oct 27 16:15:39 snort: ,-----------[Flow > Config]---------------------- > > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > > Oct 27 16:15:39 snort: | Hash Method: 2 > > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > > Oct 27 16:15:39 snort: | Rows : 4099 > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > > Oct 27 16:15:39 snort: > `---------------------------------------------- > > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > > > > client messages file contains: > > > --------- > > > Oct 27 10:00:03 fred snort: ,-----------[Flow > > > Config]---------------------- > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > > Oct 27 10:00:03 fred snort: > > > `---------------------------------------------- > > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > > Oct 27 10:00:03 fred snort: Inspection Type: > STATELESS > > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > > /etc/nsm/unicode.map > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > From halljer at auburn.edu Wed Nov 2 16:17:30 2005 From: halljer at auburn.edu (Dusty Hall) Date: Wed, 02 Nov 2005 09:17:30 -0600 Subject: [rsyslog] 1.12.0 - Seg Faults In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA0E3D29@grfint2.intern.adiscon.com> References: <577465F99B41C842AAFBE9ED71E70ABA0E3D29@grfint2.intern.adiscon.com> Message-ID: <4368842E.8529.003A.0@auburn.edu> Rainer, No problem. FYI, this is also happening with OpenBSD :(. Nov 1 13:35:05 syslogd: restart Nov 1 13:35:05 /bsd: OpenBSD 3.7 (GENERIC) #312: Mon Mar 21 00:14:33 MST 2005 --- seg faults here --- Thanks, -Dusty >>> rgerhards at hq.adiscon.com 11/02/05 2:19 am >>> Dusty, sorry for the late reply, I actually overlooked the message :( I think I need to set up a new lab. Looks like it actually has to do with the message content. I've no indication from the code review, but obviously there must be a bug hiding ;) I am not sure if I can do the lab today as I am working on some really pressing things... Rainer > ----- Original Message----- > From: rsyslog- bounces at lists.adiscon.com > [mailto:rsyslog- bounces at lists.adiscon.com] On Behalf Of Dusty Hall > Sent: Friday, October 28, 2005 2:54 PM > To: rsyslog at lists.adiscon.com > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > Rainer, > > First off, I really appreciate your help with this... > > I just got through trying both ideas but neither work :(. It seg > faulted in the same place. > > I tried running the daemon a little different here and it actually > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write it > to the log, > thoughts? > > /usr/sbin/rsyslogd - d - n - r 0 - l xxx.xxx.xxx.xxx (this > version has both > revisions applied) > > Calling selet, active file descriptors (max 12): 3 12 > > Successful select, descriptor count = 1, Activity on: 12 > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > Message length: 47, File descriptor: 12. > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct 28 07:48:38 > snort: GLOBAL CONFIG > Segmentation fault > > > server messages file: > ----- > Oct 28 07:48:38 snort: Writing PID "47582" to file > "/var/run//snort_fxp0.pid" > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf > Oct 28 07:48:38 snort: ,----------- [Flow > Config]---------------------- > Oct 28 07:48:38 snort: | Stats Interval: 0 > Oct 28 07:48:38 snort: | Hash Method: 2 > Oct 28 07:48:38 snort: | Memcap: 10485760 > Oct 28 07:48:38 snort: | Rows : 4099 > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) > Oct 28 07:48:38 snort: > `---------------------------------------------- > Oct 28 07:48:38 snort: HttpInspect Config: > > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> > Dusty, > > after some more testing, I am now back to thinking that the > printf() is > just a cosmetic problem. The code I was suspecting to have a bug > actually is OK. > > Anyhow, could you please replace the printf at the start of logmsg(). > The new version is: > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", > textpri(pri), flags, getRcvFrom(pMsg), msg); > > This is all on one line. Search for "logmsg:" in the code, that will > show you only the to- be- replaced line. > > I think the problem will persist after applying this patch. > > If so, I now suspect there is a problem with multithreading. It is > experimental, and that everything works well in my lab does not really > mean it will in practice. So if the bug persists, I would like you to > disable multitasking. This is easy. Just go to your Makefile and find > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run > > make clean > make > make install > > After that, rsyslogd will run in single- threading mode. Please let me > know if the error then persists, too. > > Please let me know the outcome. > > Rainer > > On Fri, 2005- 10- 28 at 08:46, Rainer Gerhards wrote: > > Hi Dusty, > > > > I first thought this were just a cosmetic problem with the printf. > After > > some review, I think the non- parsable hostname is really causing the > > segfault. I have to admit I am a bit puzzled this did not show up > > earlier. Anyhow, I'll see that I can do something against it today. > > > > Rainer > > > > On Fri, 2005- 10- 28 at 00:07, Dusty Hall wrote: > > > I'm having a problem with rsyslogd seg faulting. The daemon > (1.12.0) is > > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. > It doesn't > > > seem to catch the name from the clients leading to a seg fault. > Ideas, > > > workarounds? Any help would be greatly appreciated! > > > > > > > > > - Dusty > > > > > > > > > # /usr/sbin/rsyslogd - d - r 0 - n > > > ...... > > > - 1208042912: Message from UDP inetd socket: #12, host: > xxx.xxx.xxx.xxx > > > - 1208042912: Message length: 46, File descriptor: 12. > > > - 1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg > Oct 27 > > > 16:15:38 snort: GLOBAL CONFIG > > > Segmentation fault > > > > > > > > > server messages file contains: > > > ---------- > > > Oct 27 16:15:39 snort: ,----------- [Flow > Config]---------------------- > > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > > Oct 27 16:15:39 snort: | Hash Method: 2 > > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > > Oct 27 16:15:39 snort: | Rows : 4099 > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > > Oct 27 16:15:39 snort: > `---------------------------------------------- > > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > > > > client messages file contains: > > > --------- > > > Oct 27 10:00:03 fred snort: ,----------- [Flow > > > Config]---------------------- > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > > Oct 27 10:00:03 fred snort: > > > `---------------------------------------------- > > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > > Oct 27 10:00:03 fred snort: Inspection Type: > STATELESS > > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > > /etc/nsm/unicode.map > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog From rgerhards at hq.adiscon.com Fri Nov 4 17:00:56 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Fri, 04 Nov 2005 17:00:56 +0100 Subject: [rsyslog] 1.12.0 - Seg Faults In-Reply-To: <4361D92C0200003A0000098B@groupwise1.duc.auburn.edu> References: <4361D92C0200003A0000098B@groupwise1.duc.auburn.edu> Message-ID: <1131120055.2186.66.camel@rh9lt.intern.adiscon.com> Dusty, this one via the list, because it is of potential interest for others, too. Finally, I found the bug. I have to admit I always thought into the wrong direction. Now that I got that straight, it was actually easy to spot. The actual cause is that there is a bug in the syslog TAG assignment function. To fix this, search for MsgSetTag in syslogd.c. Replace it with this code: static void MsgAssignTAG(struct msg *pMsg, char *pBuf) { assert(pMsg != NULL); pMsg->iLenTAG = (pBuf == NULL) ? 0 : strlen(pBuf); pMsg->pszTAG = pBuf; } That will fix the abort. HOWEVER... the root cause (as you rightly said ;)) is that the BSD messages do not contain a host name. rsyslogd parses according to RFC 3164, where a hostname is required. That RFC is no standard, so it is OK to send without hostname. The bad news is that there is nothing inside the message that you can use to detect if there is a hostname present or not. The only solution I can think of is to have the ability to configure custom parsers based on e.g. the message sender. This is something that rsyslogd currently does not do. So for the time being, the BSD syslog messages will have the TAG in the HOSTNAME field. In many cases, you can probably live with that, especially if you custom-format the templates and apply them on a per-sender basis. The other alternative is to install rsyslogd on the senders, too, because that will obviously relieve you of this issue. So, I have mixed news ;) I hope it is still useful for you. Rainer On Fri, 2005-10-28 at 14:54, Dusty Hall wrote: > Rainer, > > First off, I really appreciate your help with this... > > I just got through trying both ideas but neither work :(. It seg > faulted in the same place. > > I tried running the daemon a little different here and it actually > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write it to the > log, > thoughts? > > /usr/sbin/rsyslogd -d -n -r 0 -l xxx.xxx.xxx.xxx (this version has > both > revisions applied) > > Calling selet, active file descriptors (max 12): 3 12 > > Successful select, descriptor count = 1, Activity on: 12 > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > Message length: 47, File descriptor: 12. > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct 28 07:48:38 > snort: GLOBAL CONFIG > Segmentation fault > > > server messages file: > ----- > Oct 28 07:48:38 snort: Writing PID "47582" to file > "/var/run//snort_fxp0.pid" > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf > Oct 28 07:48:38 snort: ,-----------[Flow Config]---------------------- > Oct 28 07:48:38 snort: | Stats Interval: 0 > Oct 28 07:48:38 snort: | Hash Method: 2 > Oct 28 07:48:38 snort: | Memcap: 10485760 > Oct 28 07:48:38 snort: | Rows : 4099 > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) > Oct 28 07:48:38 snort: `---------------------------------------------- > Oct 28 07:48:38 snort: HttpInspect Config: > > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> > Dusty, > > after some more testing, I am now back to thinking that the printf() > is > just a cosmetic problem. The code I was suspecting to have a bug > actually is OK. > > Anyhow, could you please replace the printf at the start of logmsg(). > The new version is: > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", > textpri(pri), flags, getRcvFrom(pMsg), msg); > > This is all on one line. Search for "logmsg:" in the code, that will > show you only the to-be-replaced line. > > I think the problem will persist after applying this patch. > > If so, I now suspect there is a problem with multithreading. It is > experimental, and that everything works well in my lab does not really > mean it will in practice. So if the bug persists, I would like you to > disable multitasking. This is easy. Just go to your Makefile and find > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run > > make clean > make > make install > > After that, rsyslogd will run in single-threading mode. Please let me > know if the error then persists, too. > > Please let me know the outcome. > > Rainer > > On Fri, 2005-10-28 at 08:46, Rainer Gerhards wrote: > > Hi Dusty, > > > > I first thought this were just a cosmetic problem with the printf. > After > > some review, I think the non-parsable hostname is really causing the > > segfault. I have to admit I am a bit puzzled this did not show up > > earlier. Anyhow, I'll see that I can do something against it today. > > > > Rainer > > > > On Fri, 2005-10-28 at 00:07, Dusty Hall wrote: > > > I'm having a problem with rsyslogd seg faulting. The daemon > (1.12.0) is > > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It > doesn't > > > seem to catch the name from the clients leading to a seg fault. > Ideas, > > > workarounds? Any help would be greatly appreciated! > > > > > > > > > -Dusty > > > > > > > > > # /usr/sbin/rsyslogd -d -r 0 -n > > > ...... > > > -1208042912: Message from UDP inetd socket: #12, host: > xxx.xxx.xxx.xxx > > > -1208042912: Message length: 46, File descriptor: 12. > > > -1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg > Oct 27 > > > 16:15:38 snort: GLOBAL CONFIG > > > Segmentation fault > > > > > > > > > server messages file contains: > > > ---------- > > > Oct 27 16:15:39 snort: ,-----------[Flow > Config]---------------------- > > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > > Oct 27 16:15:39 snort: | Hash Method: 2 > > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > > Oct 27 16:15:39 snort: | Rows : 4099 > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > > Oct 27 16:15:39 snort: > `---------------------------------------------- > > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > > > > client messages file contains: > > > --------- > > > Oct 27 10:00:03 fred snort: ,-----------[Flow > > > Config]---------------------- > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > > Oct 27 10:00:03 fred snort: > > > `---------------------------------------------- > > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > > Oct 27 10:00:03 fred snort: Inspection Type: > STATELESS > > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > > /etc/nsm/unicode.map > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > > From halljer at auburn.edu Wed Nov 9 17:53:24 2005 From: halljer at auburn.edu (Dusty Hall) Date: Wed, 09 Nov 2005 10:53:24 -0600 Subject: [rsyslog] 1.12.0 - Seg Faults In-Reply-To: <436B8DA5.8529.003A.0@auburn.edu> References: <4361D92C0200003A0000098B@groupwise1.duc.auburn.edu> <1131120055.2186.66.camel@rh9lt.intern.adiscon.com> <436B8DA5.8529.003A.0@auburn.edu> Message-ID: <4371D529.8529.003A.0@auburn.edu> Rainer, Thanks for the information. Do you know of any syslog daemons that follow the correct RFC and are in the FreeBSD ports tree? If not, I'm going the route of installing rsyslogd on the clients :). Thanks again! -Dusty >>> rgerhards at hq.adiscon.com 11/04/05 10:00 am >>> Dusty, this one via the list, because it is of potential interest for others, too. Finally, I found the bug. I have to admit I always thought into the wrong direction. Now that I got that straight, it was actually easy to spot. The actual cause is that there is a bug in the syslog TAG assignment function. To fix this, search for MsgSetTag in syslogd.c. Replace it with this code: static void MsgAssignTAG(struct msg *pMsg, char *pBuf) { assert(pMsg != NULL); pMsg- >iLenTAG = (pBuf == NULL) ? 0 : strlen(pBuf); pMsg- >pszTAG = pBuf; } That will fix the abort. HOWEVER... the root cause (as you rightly said ;)) is that the BSD messages do not contain a host name. rsyslogd parses according to RFC 3164, where a hostname is required. That RFC is no standard, so it is OK to send without hostname. The bad news is that there is nothing inside the message that you can use to detect if there is a hostname present or not. The only solution I can think of is to have the ability to configure custom parsers based on e.g. the message sender. This is something that rsyslogd currently does not do. So for the time being, the BSD syslog messages will have the TAG in the HOSTNAME field. In many cases, you can probably live with that, especially if you custom- format the templates and apply them on a per- sender basis. The other alternative is to install rsyslogd on the senders, too, because that will obviously relieve you of this issue. So, I have mixed news ;) I hope it is still useful for you. Rainer On Fri, 2005- 10- 28 at 14:54, Dusty Hall wrote: > Rainer, > > First off, I really appreciate your help with this... > > I just got through trying both ideas but neither work :(. It seg > faulted in the same place. > > I tried running the daemon a little different here and it actually > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write it to the > log, > thoughts? > > /usr/sbin/rsyslogd - d - n - r 0 - l xxx.xxx.xxx.xxx (this version has > both > revisions applied) > > Calling selet, active file descriptors (max 12): 3 12 > > Successful select, descriptor count = 1, Activity on: 12 > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > Message length: 47, File descriptor: 12. > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct 28 07:48:38 > snort: GLOBAL CONFIG > Segmentation fault > > > server messages file: > ----- > Oct 28 07:48:38 snort: Writing PID "47582" to file > "/var/run//snort_fxp0.pid" > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf > Oct 28 07:48:38 snort: ,----------- [Flow Config]---------------------- > Oct 28 07:48:38 snort: | Stats Interval: 0 > Oct 28 07:48:38 snort: | Hash Method: 2 > Oct 28 07:48:38 snort: | Memcap: 10485760 > Oct 28 07:48:38 snort: | Rows : 4099 > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) > Oct 28 07:48:38 snort: `---------------------------------------------- > Oct 28 07:48:38 snort: HttpInspect Config: > > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> > Dusty, > > after some more testing, I am now back to thinking that the printf() > is > just a cosmetic problem. The code I was suspecting to have a bug > actually is OK. > > Anyhow, could you please replace the printf at the start of logmsg(). > The new version is: > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", > textpri(pri), flags, getRcvFrom(pMsg), msg); > > This is all on one line. Search for "logmsg:" in the code, that will > show you only the to- be- replaced line. > > I think the problem will persist after applying this patch. > > If so, I now suspect there is a problem with multithreading. It is > experimental, and that everything works well in my lab does not really > mean it will in practice. So if the bug persists, I would like you to > disable multitasking. This is easy. Just go to your Makefile and find > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run > > make clean > make > make install > > After that, rsyslogd will run in single- threading mode. Please let me > know if the error then persists, too. > > Please let me know the outcome. > > Rainer > > On Fri, 2005- 10- 28 at 08:46, Rainer Gerhards wrote: > > Hi Dusty, > > > > I first thought this were just a cosmetic problem with the printf. > After > > some review, I think the non- parsable hostname is really causing the > > segfault. I have to admit I am a bit puzzled this did not show up > > earlier. Anyhow, I'll see that I can do something against it today. > > > > Rainer > > > > On Fri, 2005- 10- 28 at 00:07, Dusty Hall wrote: > > > I'm having a problem with rsyslogd seg faulting. The daemon > (1.12.0) is > > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It > doesn't > > > seem to catch the name from the clients leading to a seg fault. > Ideas, > > > workarounds? Any help would be greatly appreciated! > > > > > > > > > - Dusty > > > > > > > > > # /usr/sbin/rsyslogd - d - r 0 - n > > > ...... > > > - 1208042912: Message from UDP inetd socket: #12, host: > xxx.xxx.xxx.xxx > > > - 1208042912: Message length: 46, File descriptor: 12. > > > - 1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg > Oct 27 > > > 16:15:38 snort: GLOBAL CONFIG > > > Segmentation fault > > > > > > > > > server messages file contains: > > > ---------- > > > Oct 27 16:15:39 snort: ,----------- [Flow > Config]---------------------- > > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > > Oct 27 16:15:39 snort: | Hash Method: 2 > > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > > Oct 27 16:15:39 snort: | Rows : 4099 > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > > Oct 27 16:15:39 snort: > `---------------------------------------------- > > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > > > > client messages file contains: > > > --------- > > > Oct 27 10:00:03 fred snort: ,----------- [Flow > > > Config]---------------------- > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > > Oct 27 10:00:03 fred snort: > > > `---------------------------------------------- > > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > > Oct 27 10:00:03 fred snort: Inspection Type: > STATELESS > > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > > /etc/nsm/unicode.map > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog From rgerhards at hq.adiscon.com Wed Nov 9 21:28:47 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 9 Nov 2005 21:28:47 +0100 Subject: [rsyslog] 1.12.0 - Seg Faults Message-ID: <577465F99B41C842AAFBE9ED71E70ABAB690@grfint2.intern.adiscon.com> Dusty, Unfortunately, I do not know of any one. And I do not want to create a wrong impression: RFC 3164 is not a standard but rather an informational document. So nothing is haremd by not following it. The issue is "just" that without that header format we can not process it. I am currently involved in work at the IETF that struggles to get a standard RFC together. As it looks currently, that RFC will be very close to RFC 3164. So it is not bad to plan somewhat ahead ;) Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Dusty Hall > Sent: Wednesday, November 09, 2005 5:53 PM > To: rsyslog at lists.adiscon.com > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > > Rainer, > > Thanks for the information. Do you know of any syslog > daemons that follow the correct RFC and are in the FreeBSD > ports tree? If not, I'm going the route of installing > rsyslogd on the clients :). Thanks again! > > > -Dusty > > > >>> rgerhards at hq.adiscon.com 11/04/05 10:00 am >>> > Dusty, > > this one via the list, because it is of potential interest for others, > too. > > Finally, I found the bug. I have to admit I always thought into the > wrong direction. Now that I got that straight, it was actually easy to > spot. > > The actual cause is that there is a bug in the syslog TAG assignment > function. To fix this, search for MsgSetTag in syslogd.c. Replace it > with this code: > > static void MsgAssignTAG(struct msg *pMsg, char *pBuf) > { > assert(pMsg != NULL); > pMsg- >iLenTAG = (pBuf == NULL) ? 0 : strlen(pBuf); > pMsg- >pszTAG = pBuf; > } > > That will fix the abort. HOWEVER... the root cause (as you rightly > said > ;)) is that the BSD messages do not contain a host name. rsyslogd > parses > according to RFC 3164, where a hostname is required. That RFC is no > standard, so it is OK to send without hostname. The bad news is that > there is nothing inside the message that you can use to detect if > there > is a hostname present or not. The only solution I can think of is to > have the ability to configure custom parsers based on e.g. the message > sender. This is something that rsyslogd currently does not do. So for > the time being, the BSD syslog messages will have the TAG in the > HOSTNAME field. In many cases, you can probably live with that, > especially if you custom- format the templates and apply them on a > per- sender basis. The other alternative is to install rsyslogd on > the > senders, too, because that will obviously relieve you of this issue. > > So, I have mixed news ;) I hope it is still useful for you. > > Rainer > > On Fri, 2005- 10- 28 at 14:54, Dusty Hall wrote: > > Rainer, > > > > First off, I really appreciate your help with this... > > > > I just got through trying both ideas but neither work :(. It seg > > faulted in the same place. > > > > I tried running the daemon a little different here and it actually > > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write it to the > > log, > > thoughts? > > > > /usr/sbin/rsyslogd - d - n - r 0 - l xxx.xxx.xxx.xxx (this > version has > > both > > revisions applied) > > > > Calling selet, active file descriptors (max 12): 3 12 > > > > Successful select, descriptor count = 1, Activity on: 12 > > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > > Message length: 47, File descriptor: 12. > > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct 28 07:48:38 > > snort: GLOBAL CONFIG > > Segmentation fault > > > > > > server messages file: > > ----- > > Oct 28 07:48:38 snort: Writing PID "47582" to file > > "/var/run//snort_fxp0.pid" > > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf > > Oct 28 07:48:38 snort: ,----------- [Flow > Config]---------------------- > > Oct 28 07:48:38 snort: | Stats Interval: 0 > > Oct 28 07:48:38 snort: | Hash Method: 2 > > Oct 28 07:48:38 snort: | Memcap: 10485760 > > Oct 28 07:48:38 snort: | Rows : 4099 > > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) > > Oct 28 07:48:38 snort: > `---------------------------------------------- > > Oct 28 07:48:38 snort: HttpInspect Config: > > > > > > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> > > Dusty, > > > > after some more testing, I am now back to thinking that the printf() > > is > > just a cosmetic problem. The code I was suspecting to have a bug > > actually is OK. > > > > Anyhow, could you please replace the printf at the start of > logmsg(). > > The new version is: > > > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", > > textpri(pri), flags, getRcvFrom(pMsg), msg); > > > > This is all on one line. Search for "logmsg:" in the code, that will > > show you only the to- be- replaced line. > > > > I think the problem will persist after applying this patch. > > > > If so, I now suspect there is a problem with multithreading. It is > > experimental, and that everything works well in my lab does not > really > > mean it will in practice. So if the bug persists, I would like you > to > > disable multitasking. This is easy. Just go to your Makefile and > find > > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run > > > > make clean > > make > > make install > > > > After that, rsyslogd will run in single- threading mode. Please let > me > > know if the error then persists, too. > > > > Please let me know the outcome. > > > > Rainer > > > > On Fri, 2005- 10- 28 at 08:46, Rainer Gerhards wrote: > > > Hi Dusty, > > > > > > I first thought this were just a cosmetic problem with the printf. > > After > > > some review, I think the non- parsable hostname is really causing > the > > > segfault. I have to admit I am a bit puzzled this did not show up > > > earlier. Anyhow, I'll see that I can do something against it > today. > > > > > > Rainer > > > > > > On Fri, 2005- 10- 28 at 00:07, Dusty Hall wrote: > > > > I'm having a problem with rsyslogd seg faulting. The daemon > > (1.12.0) is > > > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It > > doesn't > > > > seem to catch the name from the clients leading to a seg fault. > > Ideas, > > > > workarounds? Any help would be greatly appreciated! > > > > > > > > > > > > - Dusty > > > > > > > > > > > > # /usr/sbin/rsyslogd - d - r 0 - n > > > > ...... > > > > - 1208042912: Message from UDP inetd socket: #12, host: > > xxx.xxx.xxx.xxx > > > > - 1208042912: Message length: 46, File descriptor: 12. > > > > - 1208042912: logmsg: daemon.notice<29>, flags 2, from (null), > msg > > Oct 27 > > > > 16:15:38 snort: GLOBAL CONFIG > > > > Segmentation fault > > > > > > > > > > > > server messages file contains: > > > > ---------- > > > > Oct 27 16:15:39 snort: ,----------- [Flow > > Config]---------------------- > > > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > > > Oct 27 16:15:39 snort: | Hash Method: 2 > > > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > > > Oct 27 16:15:39 snort: | Rows : 4099 > > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > > > Oct 27 16:15:39 snort: > > `---------------------------------------------- > > > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > > > > > > > client messages file contains: > > > > --------- > > > > Oct 27 10:00:03 fred snort: ,----------- [Flow > > > > Config]---------------------- > > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > > > Oct 27 10:00:03 fred snort: > > > > `---------------------------------------------- > > > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > > > Oct 27 10:00:03 fred snort: Inspection Type: > > STATELESS > > > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > > > /etc/nsm/unicode.map > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252 > > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > From rgerhards at hq.adiscon.com Thu Nov 10 09:05:28 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Thu, 10 Nov 2005 09:05:28 +0100 Subject: [rsyslog] 1.12.0 - Seg Faults Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3DD4@grfint2.intern.adiscon.com> Dusty, I think I replied too soon ;) I've had another round of hard thinking on the parsing issue. Though I do not yet have anything definite, I have the impression that there is a way to make the parser smart enough to handle BSD messages. So if you can wait a little longer, it might be wise to do so... On the route to the solution a question: The non-BSD systems you have: are they using rsyslogd or any other syslogd? Basically, I am interested to know if their messages contain the hostname and, if so, if the message was generated by rsyslog (one of the solution I have in mind is an extension that would only work if the hostnames are only present in messages sent from rsyslog). Feedback appreciated. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of > Rainer Gerhards > Sent: Wednesday, November 09, 2005 9:29 PM > To: rsyslog-users > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > Dusty, > > Unfortunately, I do not know of any one. And I do not want to create a > wrong impression: RFC 3164 is not a standard but rather an > informational > document. So nothing is haremd by not following it. The issue > is "just" > that without that header format we can not process it. I am currently > involved in work at the IETF that struggles to get a standard RFC > together. As it looks currently, that RFC will be very close to RFC > 3164. So it is not bad to plan somewhat ahead ;) > > Rainer > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com > > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Dusty Hall > > Sent: Wednesday, November 09, 2005 5:53 PM > > To: rsyslog at lists.adiscon.com > > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > > > > > Rainer, > > > > Thanks for the information. Do you know of any syslog > > daemons that follow the correct RFC and are in the FreeBSD > > ports tree? If not, I'm going the route of installing > > rsyslogd on the clients :). Thanks again! > > > > > > -Dusty > > > > > > >>> rgerhards at hq.adiscon.com 11/04/05 10:00 am >>> > > Dusty, > > > > this one via the list, because it is of potential interest > for others, > > too. > > > > Finally, I found the bug. I have to admit I always thought into the > > wrong direction. Now that I got that straight, it was > actually easy to > > spot. > > > > The actual cause is that there is a bug in the syslog TAG assignment > > function. To fix this, search for MsgSetTag in syslogd.c. Replace it > > with this code: > > > > static void MsgAssignTAG(struct msg *pMsg, char *pBuf) > > { > > assert(pMsg != NULL); > > pMsg- >iLenTAG = (pBuf == NULL) ? 0 : strlen(pBuf); > > pMsg- >pszTAG = pBuf; > > } > > > > That will fix the abort. HOWEVER... the root cause (as you rightly > > said > > ;)) is that the BSD messages do not contain a host name. rsyslogd > > parses > > according to RFC 3164, where a hostname is required. That RFC is no > > standard, so it is OK to send without hostname. The bad news is that > > there is nothing inside the message that you can use to detect if > > there > > is a hostname present or not. The only solution I can think of is to > > have the ability to configure custom parsers based on e.g. > the message > > sender. This is something that rsyslogd currently does not > do. So for > > the time being, the BSD syslog messages will have the TAG in the > > HOSTNAME field. In many cases, you can probably live with that, > > especially if you custom- format the templates and apply them on a > > per- sender basis. The other alternative is to install rsyslogd on > > the > > senders, too, because that will obviously relieve you of this issue. > > > > So, I have mixed news ;) I hope it is still useful for you. > > > > Rainer > > > > On Fri, 2005- 10- 28 at 14:54, Dusty Hall wrote: > > > Rainer, > > > > > > First off, I really appreciate your help with this... > > > > > > I just got through trying both ideas but neither work > :(. It seg > > > faulted in the same place. > > > > > > I tried running the daemon a little different here and > it actually > > > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write > it to the > > > log, > > > thoughts? > > > > > > /usr/sbin/rsyslogd - d - n - r 0 - l xxx.xxx.xxx.xxx (this > > version has > > > both > > > revisions applied) > > > > > > Calling selet, active file descriptors (max 12): 3 12 > > > > > > Successful select, descriptor count = 1, Activity on: 12 > > > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > > > Message length: 47, File descriptor: 12. > > > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct > 28 07:48:38 > > > snort: GLOBAL CONFIG > > > Segmentation fault > > > > > > > > > server messages file: > > > ----- > > > Oct 28 07:48:38 snort: Writing PID "47582" to file > > > "/var/run//snort_fxp0.pid" > > > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf > > > Oct 28 07:48:38 snort: ,----------- [Flow > > Config]---------------------- > > > Oct 28 07:48:38 snort: | Stats Interval: 0 > > > Oct 28 07:48:38 snort: | Hash Method: 2 > > > Oct 28 07:48:38 snort: | Memcap: 10485760 > > > Oct 28 07:48:38 snort: | Rows : 4099 > > > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) > > > Oct 28 07:48:38 snort: > > `---------------------------------------------- > > > Oct 28 07:48:38 snort: HttpInspect Config: > > > > > > > > > > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> > > > Dusty, > > > > > > after some more testing, I am now back to thinking that > the printf() > > > is > > > just a cosmetic problem. The code I was suspecting to have a bug > > > actually is OK. > > > > > > Anyhow, could you please replace the printf at the start of > > logmsg(). > > > The new version is: > > > > > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", > > > textpri(pri), flags, getRcvFrom(pMsg), msg); > > > > > > This is all on one line. Search for "logmsg:" in the > code, that will > > > show you only the to- be- replaced line. > > > > > > I think the problem will persist after applying this patch. > > > > > > If so, I now suspect there is a problem with multithreading. It is > > > experimental, and that everything works well in my lab does not > > really > > > mean it will in practice. So if the bug persists, I would like you > > to > > > disable multitasking. This is easy. Just go to your Makefile and > > find > > > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run > > > > > > make clean > > > make > > > make install > > > > > > After that, rsyslogd will run in single- threading mode. > Please let > > me > > > know if the error then persists, too. > > > > > > Please let me know the outcome. > > > > > > Rainer > > > > > > On Fri, 2005- 10- 28 at 08:46, Rainer Gerhards wrote: > > > > Hi Dusty, > > > > > > > > I first thought this were just a cosmetic problem with > the printf. > > > After > > > > some review, I think the non- parsable hostname is > really causing > > the > > > > segfault. I have to admit I am a bit puzzled this did > not show up > > > > earlier. Anyhow, I'll see that I can do something against it > > today. > > > > > > > > Rainer > > > > > > > > On Fri, 2005- 10- 28 at 00:07, Dusty Hall wrote: > > > > > I'm having a problem with rsyslogd seg faulting. The daemon > > > (1.12.0) is > > > > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It > > > doesn't > > > > > seem to catch the name from the clients leading to a > seg fault. > > > Ideas, > > > > > workarounds? Any help would be greatly appreciated! > > > > > > > > > > > > > > > - Dusty > > > > > > > > > > > > > > > # /usr/sbin/rsyslogd - d - r 0 - n > > > > > ...... > > > > > - 1208042912: Message from UDP inetd socket: #12, host: > > > xxx.xxx.xxx.xxx > > > > > - 1208042912: Message length: 46, File descriptor: 12. > > > > > - 1208042912: logmsg: daemon.notice<29>, flags 2, > from (null), > > msg > > > Oct 27 > > > > > 16:15:38 snort: GLOBAL CONFIG > > > > > Segmentation fault > > > > > > > > > > > > > > > server messages file contains: > > > > > ---------- > > > > > Oct 27 16:15:39 snort: ,----------- [Flow > > > Config]---------------------- > > > > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > > > > Oct 27 16:15:39 snort: | Hash Method: 2 > > > > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > > > > Oct 27 16:15:39 snort: | Rows : 4099 > > > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > > > > Oct 27 16:15:39 snort: > > > `---------------------------------------------- > > > > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > > > > > > > > > > client messages file contains: > > > > > --------- > > > > > Oct 27 10:00:03 fred snort: ,----------- [Flow > > > > > Config]---------------------- > > > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > > > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > > > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > > > > Oct 27 10:00:03 fred snort: > > > > > `---------------------------------------------- > > > > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > > > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > > > > Oct 27 10:00:03 fred snort: Inspection Type: > > > STATELESS > > > > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > > > > /etc/nsm/unicode.map > > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map > Codepage: 1252 > > > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > rsyslog mailing list > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > From rgerhards at hq.adiscon.com Thu Nov 10 09:38:07 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Thu, 10 Nov 2005 09:38:07 +0100 Subject: [rsyslog] 1.12.0 - Seg Faults In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA0E3DD4@grfint2.intern.adiscon.com> References: <577465F99B41C842AAFBE9ED71E70ABA0E3DD4@grfint2.intern.adiscon.com> Message-ID: <1131611887.2188.4.camel@rh9lt.intern.adiscon.com> Dusty, actually, now that I had thought about what can be done, implementing it was straightforward (surprisingly easy actually). Sometimes it pays to think a little bit harder ;) Anyhow... While it works in my lab, there is a certain part of guesswork involved. I am not sure if it will work in your environment. I will send you an updated syslogd.c via private mail, I'd appreciate if you could give it a try. Rainer On Thu, 2005-11-10 at 09:05, Rainer Gerhards wrote: > Dusty, > > I think I replied too soon ;) I've had another round of hard thinking on > the parsing issue. Though I do not yet have anything definite, I have > the impression that there is a way to make the parser smart enough to > handle BSD messages. So if you can wait a little longer, it might be > wise to do so... > > On the route to the solution a question: The non-BSD systems you have: > are they using rsyslogd or any other syslogd? Basically, I am interested > to know if their messages contain the hostname and, if so, if the > message was generated by rsyslog (one of the solution I have in mind is > an extension that would only work if the hostnames are only present in > messages sent from rsyslog). > > Feedback appreciated. > > Rainer > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com > > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of > > Rainer Gerhards > > Sent: Wednesday, November 09, 2005 9:29 PM > > To: rsyslog-users > > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > > > Dusty, > > > > Unfortunately, I do not know of any one. And I do not want to create a > > wrong impression: RFC 3164 is not a standard but rather an > > informational > > document. So nothing is haremd by not following it. The issue > > is "just" > > that without that header format we can not process it. I am currently > > involved in work at the IETF that struggles to get a standard RFC > > together. As it looks currently, that RFC will be very close to RFC > > 3164. So it is not bad to plan somewhat ahead ;) > > > > Rainer > > > > > -----Original Message----- > > > From: rsyslog-bounces at lists.adiscon.com > > > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Dusty Hall > > > Sent: Wednesday, November 09, 2005 5:53 PM > > > To: rsyslog at lists.adiscon.com > > > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > > > > > > > > Rainer, > > > > > > Thanks for the information. Do you know of any syslog > > > daemons that follow the correct RFC and are in the FreeBSD > > > ports tree? If not, I'm going the route of installing > > > rsyslogd on the clients :). Thanks again! > > > > > > > > > -Dusty > > > > > > > > > >>> rgerhards at hq.adiscon.com 11/04/05 10:00 am >>> > > > Dusty, > > > > > > this one via the list, because it is of potential interest > > for others, > > > too. > > > > > > Finally, I found the bug. I have to admit I always thought into the > > > wrong direction. Now that I got that straight, it was > > actually easy to > > > spot. > > > > > > The actual cause is that there is a bug in the syslog TAG assignment > > > function. To fix this, search for MsgSetTag in syslogd.c. Replace it > > > with this code: > > > > > > static void MsgAssignTAG(struct msg *pMsg, char *pBuf) > > > { > > > assert(pMsg != NULL); > > > pMsg- >iLenTAG = (pBuf == NULL) ? 0 : strlen(pBuf); > > > pMsg- >pszTAG = pBuf; > > > } > > > > > > That will fix the abort. HOWEVER... the root cause (as you rightly > > > said > > > ;)) is that the BSD messages do not contain a host name. rsyslogd > > > parses > > > according to RFC 3164, where a hostname is required. That RFC is no > > > standard, so it is OK to send without hostname. The bad news is that > > > there is nothing inside the message that you can use to detect if > > > there > > > is a hostname present or not. The only solution I can think of is to > > > have the ability to configure custom parsers based on e.g. > > the message > > > sender. This is something that rsyslogd currently does not > > do. So for > > > the time being, the BSD syslog messages will have the TAG in the > > > HOSTNAME field. In many cases, you can probably live with that, > > > especially if you custom- format the templates and apply them on a > > > per- sender basis. The other alternative is to install rsyslogd on > > > the > > > senders, too, because that will obviously relieve you of this issue. > > > > > > So, I have mixed news ;) I hope it is still useful for you. > > > > > > Rainer > > > > > > On Fri, 2005- 10- 28 at 14:54, Dusty Hall wrote: > > > > Rainer, > > > > > > > > First off, I really appreciate your help with this... > > > > > > > > I just got through trying both ideas but neither work > > :(. It seg > > > > faulted in the same place. > > > > > > > > I tried running the daemon a little different here and > > it actually > > > > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write > > it to the > > > > log, > > > > thoughts? > > > > > > > > /usr/sbin/rsyslogd - d - n - r 0 - l xxx.xxx.xxx.xxx (this > > > version has > > > > both > > > > revisions applied) > > > > > > > > Calling selet, active file descriptors (max 12): 3 12 > > > > > > > > Successful select, descriptor count = 1, Activity on: 12 > > > > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > > > > Message length: 47, File descriptor: 12. > > > > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct > > 28 07:48:38 > > > > snort: GLOBAL CONFIG > > > > Segmentation fault > > > > > > > > > > > > server messages file: > > > > ----- > > > > Oct 28 07:48:38 snort: Writing PID "47582" to file > > > > "/var/run//snort_fxp0.pid" > > > > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf > > > > Oct 28 07:48:38 snort: ,----------- [Flow > > > Config]---------------------- > > > > Oct 28 07:48:38 snort: | Stats Interval: 0 > > > > Oct 28 07:48:38 snort: | Hash Method: 2 > > > > Oct 28 07:48:38 snort: | Memcap: 10485760 > > > > Oct 28 07:48:38 snort: | Rows : 4099 > > > > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) > > > > Oct 28 07:48:38 snort: > > > `---------------------------------------------- > > > > Oct 28 07:48:38 snort: HttpInspect Config: > > > > > > > > > > > > > > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> > > > > Dusty, > > > > > > > > after some more testing, I am now back to thinking that > > the printf() > > > > is > > > > just a cosmetic problem. The code I was suspecting to have a bug > > > > actually is OK. > > > > > > > > Anyhow, could you please replace the printf at the start of > > > logmsg(). > > > > The new version is: > > > > > > > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", > > > > textpri(pri), flags, getRcvFrom(pMsg), msg); > > > > > > > > This is all on one line. Search for "logmsg:" in the > > code, that will > > > > show you only the to- be- replaced line. > > > > > > > > I think the problem will persist after applying this patch. > > > > > > > > If so, I now suspect there is a problem with multithreading. It is > > > > experimental, and that everything works well in my lab does not > > > really > > > > mean it will in practice. So if the bug persists, I would like you > > > to > > > > disable multitasking. This is easy. Just go to your Makefile and > > > find > > > > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run > > > > > > > > make clean > > > > make > > > > make install > > > > > > > > After that, rsyslogd will run in single- threading mode. > > Please let > > > me > > > > know if the error then persists, too. > > > > > > > > Please let me know the outcome. > > > > > > > > Rainer > > > > > > > > On Fri, 2005- 10- 28 at 08:46, Rainer Gerhards wrote: > > > > > Hi Dusty, > > > > > > > > > > I first thought this were just a cosmetic problem with > > the printf. > > > > After > > > > > some review, I think the non- parsable hostname is > > really causing > > > the > > > > > segfault. I have to admit I am a bit puzzled this did > > not show up > > > > > earlier. Anyhow, I'll see that I can do something against it > > > today. > > > > > > > > > > Rainer > > > > > > > > > > On Fri, 2005- 10- 28 at 00:07, Dusty Hall wrote: > > > > > > I'm having a problem with rsyslogd seg faulting. The daemon > > > > (1.12.0) is > > > > > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It > > > > doesn't > > > > > > seem to catch the name from the clients leading to a > > seg fault. > > > > Ideas, > > > > > > workarounds? Any help would be greatly appreciated! > > > > > > > > > > > > > > > > > > - Dusty > > > > > > > > > > > > > > > > > > # /usr/sbin/rsyslogd - d - r 0 - n > > > > > > ...... > > > > > > - 1208042912: Message from UDP inetd socket: #12, host: > > > > xxx.xxx.xxx.xxx > > > > > > - 1208042912: Message length: 46, File descriptor: 12. > > > > > > - 1208042912: logmsg: daemon.notice<29>, flags 2, > > from (null), > > > msg > > > > Oct 27 > > > > > > 16:15:38 snort: GLOBAL CONFIG > > > > > > Segmentation fault > > > > > > > > > > > > > > > > > > server messages file contains: > > > > > > ---------- > > > > > > Oct 27 16:15:39 snort: ,----------- [Flow > > > > Config]---------------------- > > > > > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > > > > > Oct 27 16:15:39 snort: | Hash Method: 2 > > > > > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > > > > > Oct 27 16:15:39 snort: | Rows : 4099 > > > > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > > > > > Oct 27 16:15:39 snort: > > > > `---------------------------------------------- > > > > > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > > > > > > > > > > > > > client messages file contains: > > > > > > --------- > > > > > > Oct 27 10:00:03 fred snort: ,----------- [Flow > > > > > > Config]---------------------- > > > > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > > > > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > > > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > > > > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > > > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31) > > > > > > Oct 27 10:00:03 fred snort: > > > > > > `---------------------------------------------- > > > > > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > > > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > > > > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0 > > > > > > Oct 27 10:00:03 fred snort: Inspection Type: > > > > STATELESS > > > > > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO > > > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename: > > > > > > /etc/nsm/unicode.map > > > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map > > Codepage: 1252 > > > > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > rsyslog mailing list > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > > _______________________________________________ > > > > > rsyslog mailing list > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog From rgerhards at hq.adiscon.com Mon Nov 14 14:56:24 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Mon, 14 Nov 2005 14:56:24 +0100 Subject: [rsyslog] rsyslog 1.0.3 released (stable branch) Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3E24@grfint2.intern.adiscon.com> Dear all, I have just released rsyslog 1.0.3, a maintenance release for the stable branch. It contains a number of important fixes which have been trialed in the development branch, first. There are no new features. This release is meant for all those interested in keeping their stable branch rsyslogd up to date. Please note that it does offer considerably less features than the current development branch. So this is not an update for users of the development branch. The change log can be found at http://www.rsyslog.com/Article49.phtml I hope this work is useful. Rainer Gerhards From viktorija at oic.lv Tue Nov 15 10:59:51 2005 From: viktorija at oic.lv (Viktorija) Date: Tue, 15 Nov 2005 11:59:51 +0200 Subject: [rsyslog] logs to mysql database Message-ID: <20051115115951.40526edc.viktorija@oic.lv> Hello, am newbie in rsyslog. So please try understand me :) I have following problem/task/wish. I want all incoming logs from servers insert to mysql. Ok that's not a problem, but i want merge logs by hostnames and insert each log from one hostname to $hostname table. It is something like log sorting by hostname only to sql tables. I think it is possible with templates, but not sure. Maybe somebody could give me a right way how to do it. If it's possible of course :) Thanks, Viktorija From rgerhards at hq.adiscon.com Tue Nov 15 11:21:49 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 15 Nov 2005 11:21:49 +0100 Subject: [rsyslog] logs to mysql database Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3E31@grfint2.intern.adiscon.com> I think it is doable, but it probably is a bit dangerous. I am also not sure if MySQL allows you to define tables named like hostnames. Could you please let me know some hostnames of yours (maybe samples, I am just interested in the actual structure) as well as some matching IP addresses. I'll then see what I can do... Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Viktorija > Sent: Tuesday, November 15, 2005 11:00 AM > To: rsyslog at lists.adiscon.com > Subject: [rsyslog] logs to mysql database > > Hello, > > am newbie in rsyslog. So please try understand me :) > I have following problem/task/wish. > I want all incoming logs from servers insert to mysql. Ok > that's not a problem, but i want merge logs by hostnames and > insert each log from one hostname to $hostname table. It is > something like log sorting by hostname only to sql tables. > I think it is possible with templates, but not sure. > Maybe somebody could give me a right way how to do it. If > it's possible of course :) > > > Thanks, > Viktorija > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > From viktorija at oic.lv Tue Nov 15 11:36:40 2005 From: viktorija at oic.lv (Viktorija) Date: Tue, 15 Nov 2005 12:36:40 +0200 Subject: [rsyslog] logs to mysql database In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA0E3E31@grfint2.intern.adiscon.com> References: <577465F99B41C842AAFBE9ED71E70ABA0E3E31@grfint2.intern.adiscon.com> Message-ID: <20051115123640.02ff1347.viktorija@oic.lv> I have standard names not something special :) I have hostnames like: sun, liberatio, nafig, pofig, nefig an so on :) Oh, ip addresses are virtual so it will not give you any additional information. Do you think it is possible to make with templates? Or another way? Viktorija On Tue, 15 Nov 2005 11:21:49 +0100 "Rainer Gerhards" wrote: > I think it is doable, but it probably is a bit dangerous. I am also not > sure if MySQL allows you to define tables named like hostnames. Could > you please let me know some hostnames of yours (maybe samples, I am just > interested in the actual structure) as well as some matching IP > addresses. I'll then see what I can do... > > Rainer > > > -----Original Message----- > > From: rsyslog-bounces at lists.adiscon.com > > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Viktorija > > Sent: Tuesday, November 15, 2005 11:00 AM > > To: rsyslog at lists.adiscon.com > > Subject: [rsyslog] logs to mysql database > > > > Hello, > > > > am newbie in rsyslog. So please try understand me :) > > I have following problem/task/wish. > > I want all incoming logs from servers insert to mysql. Ok > > that's not a problem, but i want merge logs by hostnames and > > insert each log from one hostname to $hostname table. It is > > something like log sorting by hostname only to sql tables. > > I think it is possible with templates, but not sure. > > Maybe somebody could give me a right way how to do it. If > > it's possible of course :) > > > > > > Thanks, > > Viktorija > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > > From rgerhards at hq.adiscon.com Tue Nov 15 17:32:14 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Tue, 15 Nov 2005 17:32:14 +0100 Subject: [rsyslog] 1.12.0 - Seg Faults Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3E44@grfint2.intern.adiscon.com> An update to the mailing list: I have worked with Dusty on further improvements of the algorithm. As it looks currently, the new algo properly detects messages without hostnames in them and processes them accordingly. Currently, this functionality is only available via the CVS server. I plan to release an official package some time next week, which will then include that functionality. In the mean time, use anonymous CVS. Rainer > -----Original Message----- > From: rsyslog-bounces at lists.adiscon.com > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of > Rainer Gerhards > Sent: Thursday, November 10, 2005 9:38 AM > To: rsyslog-users > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > Dusty, > > actually, now that I had thought about what can be done, > implementing it > was straightforward (surprisingly easy actually). Sometimes it pays to > think a little bit harder ;) > > Anyhow... While it works in my lab, there is a certain part > of guesswork > involved. I am not sure if it will work in your environment. > I will send > you an updated syslogd.c via private mail, I'd appreciate if you could > give it a try. > > Rainer > On Thu, 2005-11-10 at 09:05, Rainer Gerhards wrote: > > Dusty, > > > > I think I replied too soon ;) I've had another round of > hard thinking on > > the parsing issue. Though I do not yet have anything > definite, I have > > the impression that there is a way to make the parser smart > enough to > > handle BSD messages. So if you can wait a little longer, it might be > > wise to do so... > > > > On the route to the solution a question: The non-BSD > systems you have: > > are they using rsyslogd or any other syslogd? Basically, I > am interested > > to know if their messages contain the hostname and, if so, if the > > message was generated by rsyslog (one of the solution I > have in mind is > > an extension that would only work if the hostnames are only > present in > > messages sent from rsyslog). > > > > Feedback appreciated. > > > > Rainer > > > > > -----Original Message----- > > > From: rsyslog-bounces at lists.adiscon.com > > > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of > > > Rainer Gerhards > > > Sent: Wednesday, November 09, 2005 9:29 PM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > > > > > Dusty, > > > > > > Unfortunately, I do not know of any one. And I do not > want to create a > > > wrong impression: RFC 3164 is not a standard but rather an > > > informational > > > document. So nothing is haremd by not following it. The issue > > > is "just" > > > that without that header format we can not process it. I > am currently > > > involved in work at the IETF that struggles to get a standard RFC > > > together. As it looks currently, that RFC will be very > close to RFC > > > 3164. So it is not bad to plan somewhat ahead ;) > > > > > > Rainer > > > > > > > -----Original Message----- > > > > From: rsyslog-bounces at lists.adiscon.com > > > > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of > Dusty Hall > > > > Sent: Wednesday, November 09, 2005 5:53 PM > > > > To: rsyslog at lists.adiscon.com > > > > Subject: Re: [rsyslog] 1.12.0 - Seg Faults > > > > > > > > > > > > Rainer, > > > > > > > > Thanks for the information. Do you know of any syslog > > > > daemons that follow the correct RFC and are in the FreeBSD > > > > ports tree? If not, I'm going the route of installing > > > > rsyslogd on the clients :). Thanks again! > > > > > > > > > > > > -Dusty > > > > > > > > > > > > >>> rgerhards at hq.adiscon.com 11/04/05 10:00 am >>> > > > > Dusty, > > > > > > > > this one via the list, because it is of potential interest > > > for others, > > > > too. > > > > > > > > Finally, I found the bug. I have to admit I always > thought into the > > > > wrong direction. Now that I got that straight, it was > > > actually easy to > > > > spot. > > > > > > > > The actual cause is that there is a bug in the syslog > TAG assignment > > > > function. To fix this, search for MsgSetTag in > syslogd.c. Replace it > > > > with this code: > > > > > > > > static void MsgAssignTAG(struct msg *pMsg, char *pBuf) > > > > { > > > > assert(pMsg != NULL); > > > > pMsg- >iLenTAG = (pBuf == NULL) ? 0 : strlen(pBuf); > > > > pMsg- >pszTAG = pBuf; > > > > } > > > > > > > > That will fix the abort. HOWEVER... the root cause (as > you rightly > > > > said > > > > ;)) is that the BSD messages do not contain a host > name. rsyslogd > > > > parses > > > > according to RFC 3164, where a hostname is required. > That RFC is no > > > > standard, so it is OK to send without hostname. The bad > news is that > > > > there is nothing inside the message that you can use to > detect if > > > > there > > > > is a hostname present or not. The only solution I can > think of is to > > > > have the ability to configure custom parsers based on e.g. > > > the message > > > > sender. This is something that rsyslogd currently does not > > > do. So for > > > > the time being, the BSD syslog messages will have the TAG in the > > > > HOSTNAME field. In many cases, you can probably live with that, > > > > especially if you custom- format the templates and > apply them on a > > > > per- sender basis. The other alternative is to install > rsyslogd on > > > > the > > > > senders, too, because that will obviously relieve you > of this issue. > > > > > > > > So, I have mixed news ;) I hope it is still useful for you. > > > > > > > > Rainer > > > > > > > > On Fri, 2005- 10- 28 at 14:54, Dusty Hall wrote: > > > > > Rainer, > > > > > > > > > > First off, I really appreciate your help with this... > > > > > > > > > > I just got through trying both ideas but neither work > > > :(. It seg > > > > > faulted in the same place. > > > > > > > > > > I tried running the daemon a little different here and > > > it actually > > > > > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write > > > it to the > > > > > log, > > > > > thoughts? > > > > > > > > > > /usr/sbin/rsyslogd - d - n - r 0 - l > xxx.xxx.xxx.xxx (this > > > > version has > > > > > both > > > > > revisions applied) > > > > > > > > > > Calling selet, active file descriptors (max 12): 3 12 > > > > > > > > > > Successful select, descriptor count = 1, Activity on: 12 > > > > > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx > > > > > Message length: 47, File descriptor: 12. > > > > > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct > > > 28 07:48:38 > > > > > snort: GLOBAL CONFIG > > > > > Segmentation fault > > > > > > > > > > > > > > > server messages file: > > > > > ----- > > > > > Oct 28 07:48:38 snort: Writing PID "47582" to file > > > > > "/var/run//snort_fxp0.pid" > > > > > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf > > > > > Oct 28 07:48:38 snort: ,----------- [Flow > > > > Config]---------------------- > > > > > Oct 28 07:48:38 snort: | Stats Interval: 0 > > > > > Oct 28 07:48:38 snort: | Hash Method: 2 > > > > > Oct 28 07:48:38 snort: | Memcap: 10485760 > > > > > Oct 28 07:48:38 snort: | Rows : 4099 > > > > > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16) > > > > > Oct 28 07:48:38 snort: > > > > `---------------------------------------------- > > > > > Oct 28 07:48:38 snort: HttpInspect Config: > > > > > > > > > > > > > > > > > > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>> > > > > > Dusty, > > > > > > > > > > after some more testing, I am now back to thinking that > > > the printf() > > > > > is > > > > > just a cosmetic problem. The code I was suspecting to > have a bug > > > > > actually is OK. > > > > > > > > > > Anyhow, could you please replace the printf at the start of > > > > logmsg(). > > > > > The new version is: > > > > > > > > > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n", > > > > > textpri(pri), flags, getRcvFrom(pMsg), msg); > > > > > > > > > > This is all on one line. Search for "logmsg:" in the > > > code, that will > > > > > show you only the to- be- replaced line. > > > > > > > > > > I think the problem will persist after applying this patch. > > > > > > > > > > If so, I now suspect there is a problem with > multithreading. It is > > > > > experimental, and that everything works well in my > lab does not > > > > really > > > > > mean it will in practice. So if the bug persists, I > would like you > > > > to > > > > > disable multitasking. This is easy. Just go to your > Makefile and > > > > find > > > > > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run > > > > > > > > > > make clean > > > > > make > > > > > make install > > > > > > > > > > After that, rsyslogd will run in single- threading mode. > > > Please let > > > > me > > > > > know if the error then persists, too. > > > > > > > > > > Please let me know the outcome. > > > > > > > > > > Rainer > > > > > > > > > > On Fri, 2005- 10- 28 at 08:46, Rainer Gerhards wrote: > > > > > > Hi Dusty, > > > > > > > > > > > > I first thought this were just a cosmetic problem with > > > the printf. > > > > > After > > > > > > some review, I think the non- parsable hostname is > > > really causing > > > > the > > > > > > segfault. I have to admit I am a bit puzzled this did > > > not show up > > > > > > earlier. Anyhow, I'll see that I can do something against it > > > > today. > > > > > > > > > > > > Rainer > > > > > > > > > > > > On Fri, 2005- 10- 28 at 00:07, Dusty Hall wrote: > > > > > > > I'm having a problem with rsyslogd seg faulting. > The daemon > > > > > (1.12.0) is > > > > > > > running on RHEL 4 and the clients are FreeBSD 4.x > & 5.x. It > > > > > doesn't > > > > > > > seem to catch the name from the clients leading to a > > > seg fault. > > > > > Ideas, > > > > > > > workarounds? Any help would be greatly appreciated! > > > > > > > > > > > > > > > > > > > > > - Dusty > > > > > > > > > > > > > > > > > > > > > # /usr/sbin/rsyslogd - d - r 0 - n > > > > > > > ...... > > > > > > > - 1208042912: Message from UDP inetd socket: #12, host: > > > > > xxx.xxx.xxx.xxx > > > > > > > - 1208042912: Message length: 46, File descriptor: 12. > > > > > > > - 1208042912: logmsg: daemon.notice<29>, flags 2, > > > from (null), > > > > msg > > > > > Oct 27 > > > > > > > 16:15:38 snort: GLOBAL CONFIG > > > > > > > Segmentation fault > > > > > > > > > > > > > > > > > > > > > server messages file contains: > > > > > > > ---------- > > > > > > > Oct 27 16:15:39 snort: ,----------- [Flow > > > > > Config]---------------------- > > > > > > > Oct 27 16:15:39 snort: | Stats Interval: 0 > > > > > > > Oct 27 16:15:39 snort: | Hash Method: 2 > > > > > > > Oct 27 16:15:39 snort: | Memcap: 10485760 > > > > > > > Oct 27 16:15:39 snort: | Rows : 4099 > > > > > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31) > > > > > > > Oct 27 16:15:39 snort: > > > > > `---------------------------------------------- > > > > > > > Oct 27 16:15:39 snort: HttpInspect Config: > > > > > > > > > > > > > > > > > > > > > client messages file contains: > > > > > > > --------- > > > > > > > Oct 27 10:00:03 fred snort: ,----------- [Flow > > > > > > > Config]---------------------- > > > > > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0 > > > > > > > Oct 27 10:00:03 fred snort: | Hash Method: 2 > > > > > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760 > > > > > > > Oct 27 10:00:03 fred snort: | Rows : 4099 > > > > > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: > 32800(%0.31) > > > > > > > Oct 27 10:00:03 fred snort: > > > > > > > `---------------------------------------------- > > > > > > > Oct 27 10:00:03 fred snort: HttpInspect Config: > > > > > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG > > > > > > > Oct 27 10:00:03 fred snort: Max Pipeline > Requests: 0 > > > > > > > Oct 27 10:00:03 fred snort: Inspection Type: > > > > > STATELESS > > > > > > > Oct 27 10:00:03 fred snort: Detect Proxy > Usage: NO > > > > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map > Filename: > > > > > > > /etc/nsm/unicode.map > > > > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map > > > Codepage: 1252 > > > > > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > rsyslog mailing list > > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > > > > _______________________________________________ > > > > > > rsyslog mailing list > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > > _______________________________________________ > > > > > rsyslog mailing list > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > > _______________________________________________ > > > > > rsyslog mailing list > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > From rgerhards at hq.adiscon.com Wed Nov 23 12:47:52 2005 From: rgerhards at hq.adiscon.com (Rainer Gerhards) Date: Wed, 23 Nov 2005 12:47:52 +0100 Subject: [rsyslog] rsyslog 1.12.1 released Message-ID: <577465F99B41C842AAFBE9ED71E70ABA0E3EF2@grfint2.intern.adiscon.com> Hi all, I am glad to announce rsyslog 1.12.1. This release features a much-enhanced message parser which is capable of better understanding different syslog message formats. For example, BSD syslogd (and others) does not include a host name inside the message. With 1.12.1, an algorithm is used to detect whether or not the hostname is present and the parsed fields are adjusted accordingly. This makes it much easier to integrate rsyslogd into an environment with other syslog senders. Also, threading support for BSD has been completed and a number of bugs have been fixed. For users of the development branch, I suggest upgrading to this release. The change log can be found at http://www.rsyslog.com/Article51.phtml The download can be found at http://www.rsyslog.com/Downloads-index-req-getit-lid-25.phtml I hope this work is useful, Rainer Gerhards