Good points and I probably see the reason for the internal messages. I
just happen to be on the road this week without access to the code. Will
fix next week.
Also, you are right that using the properties in file name generation
without further sanitizing is not a good thing. There needs to be
created a solution.
Rainer
> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com
> [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of
> Jan-Frode Myklebust
> Sent: Monday, August 27, 2007 11:07 PM
> To: rsyslog at lists.adiscon.com
> Subject: Re: [rsyslog] per programname logs
>
> On 2007-08-27, Rainer Gerhards <rgerhards at hq.adiscon.com> wrote:
> > Can you let us know which strings it is set to? That would
> definitely
> > help troubleshooting (one lab less to do ;)).
>
> Not sure what you're asking.. I have this rsyslog.conf entry:
>
> $template PerAppLogs,"/var/log/rsyslog/apps/%programname%.log"
> *.* -?PerAppLogs
>
> which produce two log files "1.4.1.log" and "message.log" containing
>
> Aug 27 21:58:01 syslogd 1.4.1: restart.
> Aug 27 21:58:01 syslogd 1.4.1: restart.
> Aug 27 21:58:01 syslogd 1.4.1: restart.
>
> Aug 27 22:02:48 last message repeated 12 times
> Aug 27 22:02:49 last message repeated 6 times
> Aug 27 22:02:49 last message repeated 92 times
>
> respectively. I think that's all information I have.. plus maybe also
> say that the remote host logging this is likely RHEL3, RHEL4 or RHEL5
> with sysklogd sending the logs over standard udp (*.* @loghost).
>
> Another thing that scared me a bit is that from the same template I
> got a logfile named ".log" containing:
>
> Aug 27 22:00:01 censored1.domain.mgmt /usr/bin/sudo djksjdks
> : TTY=unknown ; PWD=/home/djksjdks ; USER=root ;
> COMMAND=/sbin/iptables-save
> Aug 27 22:00:01 censored2.domain.mgmt /usr/bin/sudo djksjdks
> : TTY=unknown ; PWD=/home/djksjdks ; USER=root ;
> COMMAND=/sbin/iptables-save
> Aug 27 22:00:02 censored3.domain.mgmt /usr/bin/sudo djksjdks
> : TTY=unknown ; PWD=/home/djksjdks ; USER=root ;
> COMMAND=/sbin/iptables-save
> Aug 27 22:00:17 censored4.domain.mgmt /usr/bin/sudo djksjdks
> : TTY=unknown ; PWD=/home/djksjdks ; USER=root ;
> COMMAND=/sbin/iptables-save
> Aug 27 22:00:17 censored5.domain.mgmt /usr/bin/sudo djksjdks
> : TTY=unknown ; PWD=/home/djksjdks ; USER=root ;
> COMMAND=/sbin/iptables-save
>
> which makes me think it tried to create the file /usr/bin/sudo.log..
> Wonder if it might be possible to make rsyslogd overwrite /etc/passwd
> with a sufficientlty crafted %programname% string...
>
>
> -jf
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>