[rsyslog] per programname logs

theinric@redhat.com theinric at redhat.com
Wed Aug 29 12:57:14 CEST 2007 

Jan-Frode Myklebust wrote:
> On 2007-08-27, Rainer Gerhards <rgerhards at hq.adiscon.com> wrote:
>> Can you let us know which strings it is set to? That would definitely
>> help troubleshooting (one lab less to do ;)).
>
> Not sure what you're asking.. I have this rsyslog.conf entry:
>
>  	$template PerAppLogs,"/var/log/rsyslog/apps/%programname%.log"
>  	*.* -?PerAppLogs
>
> which produce two log files "1.4.1.log" and "message.log" containing
>
>  	Aug 27 21:58:01 syslogd 1.4.1: restart.
>  	Aug 27 21:58:01 syslogd 1.4.1: restart.
>  	Aug 27 21:58:01 syslogd 1.4.1: restart.
>
>  	Aug 27 22:02:48 last message repeated 12 times
>  	Aug 27 22:02:49 last message repeated 6 times
>  	Aug 27 22:02:49 last message repeated 92 times
>
> respectively. I think that's all information I have.. plus maybe also
> say that the remote host logging this is likely RHEL3, RHEL4 or RHEL5
> with sysklogd sending the logs over standard udp (*.* @loghost).
>
> Another thing that scared me a bit is that from the same template I
> got a logfile named ".log" containing:
>
> Aug 27 22:00:01 censored1.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save
> Aug 27 22:00:01 censored2.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save
> Aug 27 22:00:02 censored3.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save
> Aug 27 22:00:17 censored4.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save
> Aug 27 22:00:17 censored5.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save
>
> which makes me think it tried to create the file /usr/bin/sudo.log..
> Wonder if it might be possible to make rsyslogd overwrite /etc/passwd
> with a sufficientlty crafted %programname% string...
>

Hi,

in your example above, %programname% was an empty string, so you've 
ended up with the logfile /var/log/rsyslog/apps/.log.
Additionally, programname can't contain '/', so you example should be 
fairly safe.

The reason of files like 1.4.1.log being produced is in the way hostname 
and tag are parsed.
For example, message "s y s l o g: asdf" would have its hostname set to 
"s" and programname to "y".

More information about the rsyslog mailing list