Mailing List Archive

Hi Dusty,

I first thought this were just a cosmetic problem with the printf. After
some review, I think the non-parsable hostname is really causing the
segfault. I have to admit I am a bit puzzled this did not show up
earlier. Anyhow, I'll see that I can do something against it today.

Rainer

On Fri, 2005-10-28 at 00:07, Dusty Hall wrote:
> I'm having a problem with rsyslogd seg faulting. The daemon (1.12.0) is
> running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It doesn't
> seem to catch the name from the clients leading to a seg fault. Ideas,
> workarounds? Any help would be greatly appreciated!
>
>
> -Dusty
>
>
> # /usr/sbin/rsyslogd -d -r 0 -n
> ......
> -1208042912: Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx
> -1208042912: Message length: 46, File descriptor: 12.
> -1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg Oct 27
> 16:15:38 snort: GLOBAL CONFIG
> Segmentation fault
>
>
> server messages file contains:
> ----------
> Oct 27 16:15:39 snort: ,-----------[Flow Config]----------------------
> Oct 27 16:15:39 snort: | Stats Interval: 0
> Oct 27 16:15:39 snort: | Hash Method: 2
> Oct 27 16:15:39 snort: | Memcap: 10485760
> Oct 27 16:15:39 snort: | Rows : 4099
> Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31)
> Oct 27 16:15:39 snort: `----------------------------------------------
> Oct 27 16:15:39 snort: HttpInspect Config:
>
>
> client messages file contains:
> ---------
> Oct 27 10:00:03 fred snort: ,-----------[Flow
> Config]----------------------
> Oct 27 10:00:03 fred snort: | Stats Interval: 0
> Oct 27 10:00:03 fred snort: | Hash Method: 2
> Oct 27 10:00:03 fred snort: | Memcap: 10485760
> Oct 27 10:00:03 fred snort: | Rows : 4099
> Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31)
> Oct 27 10:00:03 fred snort:
> `----------------------------------------------
> Oct 27 10:00:03 fred snort: HttpInspect Config:
> Oct 27 10:00:03 fred snort: GLOBAL CONFIG
> Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0
> Oct 27 10:00:03 fred snort: Inspection Type: STATELESS
> Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO
> Oct 27 10:00:03 fred snort: IIS Unicode Map Filename:
> /etc/nsm/unicode.map
> Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252
> Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG:
>
>
>
>
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog

Dusty,

after some more testing, I am now back to thinking that the printf() is
just a cosmetic problem. The code I was suspecting to have a bug
actually is OK.

Anyhow, could you please replace the printf at the start of logmsg().
The new version is:

dprintf("logmsg: %s, flags %x, from '%s', msg %s\n",
textpri(pri), flags, getRcvFrom(pMsg), msg);

This is all on one line. Search for "logmsg:" in the code, that will
show you only the to-be-replaced line.

I think the problem will persist after applying this patch.

If so, I now suspect there is a problem with multithreading. It is
experimental, and that everything works well in my lab does not really
mean it will in practice. So if the bug persists, I would like you to
disable multitasking. This is easy. Just go to your Makefile and find
FEATURE_PTHREADS. Switch that from 1 to 0. Then, run

make clean
make
make install

After that, rsyslogd will run in single-threading mode. Please let me
know if the error then persists, too.

Please let me know the outcome.

Rainer

On Fri, 2005-10-28 at 08:46, Rainer Gerhards wrote:
> Hi Dusty,
>
> I first thought this were just a cosmetic problem with the printf. After
> some review, I think the non-parsable hostname is really causing the
> segfault. I have to admit I am a bit puzzled this did not show up
> earlier. Anyhow, I'll see that I can do something against it today.
>
> Rainer
>
> On Fri, 2005-10-28 at 00:07, Dusty Hall wrote:
> > I'm having a problem with rsyslogd seg faulting. The daemon (1.12.0) is
> > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It doesn't
> > seem to catch the name from the clients leading to a seg fault. Ideas,
> > workarounds? Any help would be greatly appreciated!
> >
> >
> > -Dusty
> >
> >
> > # /usr/sbin/rsyslogd -d -r 0 -n
> > ......
> > -1208042912: Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx
> > -1208042912: Message length: 46, File descriptor: 12.
> > -1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg Oct 27
> > 16:15:38 snort: GLOBAL CONFIG
> > Segmentation fault
> >
> >
> > server messages file contains:
> > ----------
> > Oct 27 16:15:39 snort: ,-----------[Flow Config]----------------------
> > Oct 27 16:15:39 snort: | Stats Interval: 0
> > Oct 27 16:15:39 snort: | Hash Method: 2
> > Oct 27 16:15:39 snort: | Memcap: 10485760
> > Oct 27 16:15:39 snort: | Rows : 4099
> > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31)
> > Oct 27 16:15:39 snort: `----------------------------------------------
> > Oct 27 16:15:39 snort: HttpInspect Config:
> >
> >
> > client messages file contains:
> > ---------
> > Oct 27 10:00:03 fred snort: ,-----------[Flow
> > Config]----------------------
> > Oct 27 10:00:03 fred snort: | Stats Interval: 0
> > Oct 27 10:00:03 fred snort: | Hash Method: 2
> > Oct 27 10:00:03 fred snort: | Memcap: 10485760
> > Oct 27 10:00:03 fred snort: | Rows : 4099
> > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31)
> > Oct 27 10:00:03 fred snort:
> > `----------------------------------------------
> > Oct 27 10:00:03 fred snort: HttpInspect Config:
> > Oct 27 10:00:03 fred snort: GLOBAL CONFIG
> > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0
> > Oct 27 10:00:03 fred snort: Inspection Type: STATELESS
> > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO
> > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename:
> > /etc/nsm/unicode.map
> > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252
> > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG:
> >
> >
> >
> >
> >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog

Rainer,

First off, I really appreciate your help with this...

I just got through trying both ideas but neither work :(. It seg
faulted in the same place.

I tried running the daemon a little different here and it actually
caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write it to the log,
thoughts?

/usr/sbin/rsyslogd -d -n -r 0 -l xxx.xxx.xxx.xxx (this version has both
revisions applied)

Calling selet, active file descriptors (max 12): 3 12

Successful select, descriptor count = 1, Activity on: 12
Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx
Message length: 47, File descriptor: 12.
logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct 28 07:48:38
snort: GLOBAL CONFIG
Segmentation fault


server messages file:
-----
Oct 28 07:48:38 snort: Writing PID "47582" to file
"/var/run//snort_fxp0.pid"
Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf
Oct 28 07:48:38 snort: ,-----------[Flow Config]----------------------
Oct 28 07:48:38 snort: | Stats Interval: 0
Oct 28 07:48:38 snort: | Hash Method: 2
Oct 28 07:48:38 snort: | Memcap: 10485760
Oct 28 07:48:38 snort: | Rows : 4099
Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16)
Oct 28 07:48:38 snort: `----------------------------------------------
Oct 28 07:48:38 snort: HttpInspect Config:



>>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>>
Dusty,

after some more testing, I am now back to thinking that the printf() is
just a cosmetic problem. The code I was suspecting to have a bug
actually is OK.

Anyhow, could you please replace the printf at the start of logmsg().
The new version is:

dprintf("logmsg: %s, flags %x, from '%s', msg %s\n",
textpri(pri), flags, getRcvFrom(pMsg), msg);

This is all on one line. Search for "logmsg:" in the code, that will
show you only the to-be-replaced line.

I think the problem will persist after applying this patch.

If so, I now suspect there is a problem with multithreading. It is
experimental, and that everything works well in my lab does not really
mean it will in practice. So if the bug persists, I would like you to
disable multitasking. This is easy. Just go to your Makefile and find
FEATURE_PTHREADS. Switch that from 1 to 0. Then, run

make clean
make
make install

After that, rsyslogd will run in single-threading mode. Please let me
know if the error then persists, too.

Please let me know the outcome.

Rainer

On Fri, 2005-10-28 at 08:46, Rainer Gerhards wrote:
> Hi Dusty,
>
> I first thought this were just a cosmetic problem with the printf.
After
> some review, I think the non-parsable hostname is really causing the
> segfault. I have to admit I am a bit puzzled this did not show up
> earlier. Anyhow, I'll see that I can do something against it today.
>
> Rainer
>
> On Fri, 2005-10-28 at 00:07, Dusty Hall wrote:
> > I'm having a problem with rsyslogd seg faulting. The daemon
(1.12.0) is
> > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It doesn't
> > seem to catch the name from the clients leading to a seg fault.
Ideas,
> > workarounds? Any help would be greatly appreciated!
> >
> >
> > -Dusty
> >
> >
> > # /usr/sbin/rsyslogd -d -r 0 -n
> > ......
> > -1208042912: Message from UDP inetd socket: #12, host:
xxx.xxx.xxx.xxx
> > -1208042912: Message length: 46, File descriptor: 12.
> > -1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg
Oct 27
> > 16:15:38 snort: GLOBAL CONFIG
> > Segmentation fault
> >
> >
> > server messages file contains:
> > ----------
> > Oct 27 16:15:39 snort: ,-----------[Flow
Config]----------------------
> > Oct 27 16:15:39 snort: | Stats Interval: 0
> > Oct 27 16:15:39 snort: | Hash Method: 2
> > Oct 27 16:15:39 snort: | Memcap: 10485760
> > Oct 27 16:15:39 snort: | Rows : 4099
> > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31)
> > Oct 27 16:15:39 snort:
`----------------------------------------------
> > Oct 27 16:15:39 snort: HttpInspect Config:
> >
> >
> > client messages file contains:
> > ---------
> > Oct 27 10:00:03 fred snort: ,-----------[Flow
> > Config]----------------------
> > Oct 27 10:00:03 fred snort: | Stats Interval: 0
> > Oct 27 10:00:03 fred snort: | Hash Method: 2
> > Oct 27 10:00:03 fred snort: | Memcap: 10485760
> > Oct 27 10:00:03 fred snort: | Rows : 4099
> > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31)
> > Oct 27 10:00:03 fred snort:
> > `----------------------------------------------
> > Oct 27 10:00:03 fred snort: HttpInspect Config:
> > Oct 27 10:00:03 fred snort: GLOBAL CONFIG
> > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0
> > Oct 27 10:00:03 fred snort: Inspection Type:
STATELESS
> > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO
> > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename:
> > /etc/nsm/unicode.map
> > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252
> > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG:
> >
> >
> >
> >
> >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog

Dusty,

sorry for the late reply, I actually overlooked the message :(

I think I need to set up a new lab. Looks like it actually has to do
with the message content. I've no indication from the code review, but
obviously there must be a bug hiding ;) I am not sure if I can do the
lab today as I am working on some really pressing things...

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com
> [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Dusty Hall
> Sent: Friday, October 28, 2005 2:54 PM
> To: rsyslog at lists.adiscon.com
> Subject: Re: [rsyslog] 1.12.0 - Seg Faults
>
> Rainer,
>
> First off, I really appreciate your help with this...
>
> I just got through trying both ideas but neither work :(. It seg
> faulted in the same place.
>
> I tried running the daemon a little different here and it actually
> caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write it
> to the log,
> thoughts?
>
> /usr/sbin/rsyslogd -d -n -r 0 -l xxx.xxx.xxx.xxx (this
> version has both
> revisions applied)
>
> Calling selet, active file descriptors (max 12): 3 12
>
> Successful select, descriptor count = 1, Activity on: 12
> Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx
> Message length: 47, File descriptor: 12.
> logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct 28 07:48:38
> snort: GLOBAL CONFIG
> Segmentation fault
>
>
> server messages file:
> -----
> Oct 28 07:48:38 snort: Writing PID "47582" to file
> "/var/run//snort_fxp0.pid"
> Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf
> Oct 28 07:48:38 snort: ,-----------[Flow
> Config]----------------------
> Oct 28 07:48:38 snort: | Stats Interval: 0
> Oct 28 07:48:38 snort: | Hash Method: 2
> Oct 28 07:48:38 snort: | Memcap: 10485760
> Oct 28 07:48:38 snort: | Rows : 4099
> Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16)
> Oct 28 07:48:38 snort:
> `----------------------------------------------
> Oct 28 07:48:38 snort: HttpInspect Config:
>
>
>
> >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>>
> Dusty,
>
> after some more testing, I am now back to thinking that the
> printf() is
> just a cosmetic problem. The code I was suspecting to have a bug
> actually is OK.
>
> Anyhow, could you please replace the printf at the start of logmsg().
> The new version is:
>
> dprintf("logmsg: %s, flags %x, from '%s', msg %s\n",
> textpri(pri), flags, getRcvFrom(pMsg), msg);
>
> This is all on one line. Search for "logmsg:" in the code, that will
> show you only the to-be-replaced line.
>
> I think the problem will persist after applying this patch.
>
> If so, I now suspect there is a problem with multithreading. It is
> experimental, and that everything works well in my lab does not really
> mean it will in practice. So if the bug persists, I would like you to
> disable multitasking. This is easy. Just go to your Makefile and find
> FEATURE_PTHREADS. Switch that from 1 to 0. Then, run
>
> make clean
> make
> make install
>
> After that, rsyslogd will run in single-threading mode. Please let me
> know if the error then persists, too.
>
> Please let me know the outcome.
>
> Rainer
>
> On Fri, 2005-10-28 at 08:46, Rainer Gerhards wrote:
> > Hi Dusty,
> >
> > I first thought this were just a cosmetic problem with the printf.
> After
> > some review, I think the non-parsable hostname is really causing the
> > segfault. I have to admit I am a bit puzzled this did not show up
> > earlier. Anyhow, I'll see that I can do something against it today.
> >
> > Rainer
> >
> > On Fri, 2005-10-28 at 00:07, Dusty Hall wrote:
> > > I'm having a problem with rsyslogd seg faulting. The daemon
> (1.12.0) is
> > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x.
> It doesn't
> > > seem to catch the name from the clients leading to a seg fault.
> Ideas,
> > > workarounds? Any help would be greatly appreciated!
> > >
> > >
> > > -Dusty
> > >
> > >
> > > # /usr/sbin/rsyslogd -d -r 0 -n
> > > ......
> > > -1208042912: Message from UDP inetd socket: #12, host:
> xxx.xxx.xxx.xxx
> > > -1208042912: Message length: 46, File descriptor: 12.
> > > -1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg
> Oct 27
> > > 16:15:38 snort: GLOBAL CONFIG
> > > Segmentation fault
> > >
> > >
> > > server messages file contains:
> > > ----------
> > > Oct 27 16:15:39 snort: ,-----------[Flow
> Config]----------------------
> > > Oct 27 16:15:39 snort: | Stats Interval: 0
> > > Oct 27 16:15:39 snort: | Hash Method: 2
> > > Oct 27 16:15:39 snort: | Memcap: 10485760
> > > Oct 27 16:15:39 snort: | Rows : 4099
> > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31)
> > > Oct 27 16:15:39 snort:
> `----------------------------------------------
> > > Oct 27 16:15:39 snort: HttpInspect Config:
> > >
> > >
> > > client messages file contains:
> > > ---------
> > > Oct 27 10:00:03 fred snort: ,-----------[Flow
> > > Config]----------------------
> > > Oct 27 10:00:03 fred snort: | Stats Interval: 0
> > > Oct 27 10:00:03 fred snort: | Hash Method: 2
> > > Oct 27 10:00:03 fred snort: | Memcap: 10485760
> > > Oct 27 10:00:03 fred snort: | Rows : 4099
> > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31)
> > > Oct 27 10:00:03 fred snort:
> > > `----------------------------------------------
> > > Oct 27 10:00:03 fred snort: HttpInspect Config:
> > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG
> > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0
> > > Oct 27 10:00:03 fred snort: Inspection Type:
> STATELESS
> > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO
> > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename:
> > > /etc/nsm/unicode.map
> > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252
> > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG:
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>

Rainer,

No problem. FYI, this is also happening with OpenBSD :(.

Nov 1 13:35:05 syslogd: restart
Nov 1 13:35:05 /bsd: OpenBSD 3.7 (GENERIC) #312: Mon Mar 21 00:14:33
MST 2005
--- seg faults here ---


Thanks,

-Dusty


>>> rgerhards at hq.adiscon.com 11/02/05 2:19 am >>>
Dusty,

sorry for the late reply, I actually overlooked the message :(

I think I need to set up a new lab. Looks like it actually has to do
with the message content. I've no indication from the code review, but
obviously there must be a bug hiding ;) I am not sure if I can do the
lab today as I am working on some really pressing things...

Rainer

> ----- Original Message-----
> From: rsyslog- bounces at lists.adiscon.com
> [mailto:rsyslog- bounces at lists.adiscon.com] On Behalf Of Dusty Hall
> Sent: Friday, October 28, 2005 2:54 PM
> To: rsyslog at lists.adiscon.com
> Subject: Re: [rsyslog] 1.12.0 - Seg Faults
>
> Rainer,
>
> First off, I really appreciate your help with this...
>
> I just got through trying both ideas but neither work :(. It seg
> faulted in the same place.
>
> I tried running the daemon a little different here and it actually
> caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write it
> to the log,
> thoughts?
>
> /usr/sbin/rsyslogd - d - n - r 0 - l xxx.xxx.xxx.xxx (this
> version has both
> revisions applied)
>
> Calling selet, active file descriptors (max 12): 3 12
>
> Successful select, descriptor count = 1, Activity on: 12
> Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx
> Message length: 47, File descriptor: 12.
> logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct 28 07:48:38
> snort: GLOBAL CONFIG
> Segmentation fault
>
>
> server messages file:
> -----
> Oct 28 07:48:38 snort: Writing PID "47582" to file
> "/var/run//snort_fxp0.pid"
> Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf
> Oct 28 07:48:38 snort: ,----------- [Flow
> Config]----------------------
> Oct 28 07:48:38 snort: | Stats Interval: 0
> Oct 28 07:48:38 snort: | Hash Method: 2
> Oct 28 07:48:38 snort: | Memcap: 10485760
> Oct 28 07:48:38 snort: | Rows : 4099
> Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16)
> Oct 28 07:48:38 snort:
> `----------------------------------------------
> Oct 28 07:48:38 snort: HttpInspect Config:
>
>
>
> >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>>
> Dusty,
>
> after some more testing, I am now back to thinking that the
> printf() is
> just a cosmetic problem. The code I was suspecting to have a bug
> actually is OK.
>
> Anyhow, could you please replace the printf at the start of
logmsg().
> The new version is:
>
> dprintf("logmsg: %s, flags %x, from '%s', msg %s\n",
> textpri(pri), flags, getRcvFrom(pMsg), msg);
>
> This is all on one line. Search for "logmsg:" in the code, that will
> show you only the to- be- replaced line.
>
> I think the problem will persist after applying this patch.
>
> If so, I now suspect there is a problem with multithreading. It is
> experimental, and that everything works well in my lab does not
really
> mean it will in practice. So if the bug persists, I would like you
to
> disable multitasking. This is easy. Just go to your Makefile and
find
> FEATURE_PTHREADS. Switch that from 1 to 0. Then, run
>
> make clean
> make
> make install
>
> After that, rsyslogd will run in single- threading mode. Please let
me
> know if the error then persists, too.
>
> Please let me know the outcome.
>
> Rainer
>
> On Fri, 2005- 10- 28 at 08:46, Rainer Gerhards wrote:
> > Hi Dusty,
> >
> > I first thought this were just a cosmetic problem with the printf.
> After
> > some review, I think the non- parsable hostname is really causing
the
> > segfault. I have to admit I am a bit puzzled this did not show up
> > earlier. Anyhow, I'll see that I can do something against it
today.
> >
> > Rainer
> >
> > On Fri, 2005- 10- 28 at 00:07, Dusty Hall wrote:
> > > I'm having a problem with rsyslogd seg faulting. The daemon
> (1.12.0) is
> > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x.
> It doesn't
> > > seem to catch the name from the clients leading to a seg fault.
> Ideas,
> > > workarounds? Any help would be greatly appreciated!
> > >
> > >
> > > - Dusty
> > >
> > >
> > > # /usr/sbin/rsyslogd - d - r 0 - n
> > > ......
> > > - 1208042912: Message from UDP inetd socket: #12, host:
> xxx.xxx.xxx.xxx
> > > - 1208042912: Message length: 46, File descriptor: 12.
> > > - 1208042912: logmsg: daemon.notice<29>, flags 2, from (null),
msg
> Oct 27
> > > 16:15:38 snort: GLOBAL CONFIG
> > > Segmentation fault
> > >
> > >
> > > server messages file contains:
> > > ----------
> > > Oct 27 16:15:39 snort: ,----------- [Flow
> Config]----------------------
> > > Oct 27 16:15:39 snort: | Stats Interval: 0
> > > Oct 27 16:15:39 snort: | Hash Method: 2
> > > Oct 27 16:15:39 snort: | Memcap: 10485760
> > > Oct 27 16:15:39 snort: | Rows : 4099
> > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31)
> > > Oct 27 16:15:39 snort:
> `----------------------------------------------
> > > Oct 27 16:15:39 snort: HttpInspect Config:
> > >
> > >
> > > client messages file contains:
> > > ---------
> > > Oct 27 10:00:03 fred snort: ,----------- [Flow
> > > Config]----------------------
> > > Oct 27 10:00:03 fred snort: | Stats Interval: 0
> > > Oct 27 10:00:03 fred snort: | Hash Method: 2
> > > Oct 27 10:00:03 fred snort: | Memcap: 10485760
> > > Oct 27 10:00:03 fred snort: | Rows : 4099
> > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31)
> > > Oct 27 10:00:03 fred snort:
> > > `----------------------------------------------
> > > Oct 27 10:00:03 fred snort: HttpInspect Config:
> > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG
> > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0
> > > Oct 27 10:00:03 fred snort: Inspection Type:
> STATELESS
> > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO
> > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename:
> > > /etc/nsm/unicode.map
> > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252
> > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG:
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog

Dusty,

this one via the list, because it is of potential interest for others,
too.

Finally, I found the bug. I have to admit I always thought into the
wrong direction. Now that I got that straight, it was actually easy to
spot.

The actual cause is that there is a bug in the syslog TAG assignment
function. To fix this, search for MsgSetTag in syslogd.c. Replace it
with this code:

static void MsgAssignTAG(struct msg *pMsg, char *pBuf)
{
assert(pMsg != NULL);
pMsg->iLenTAG = (pBuf == NULL) ? 0 : strlen(pBuf);
pMsg->pszTAG = pBuf;
}

That will fix the abort. HOWEVER... the root cause (as you rightly said
;)) is that the BSD messages do not contain a host name. rsyslogd parses
according to RFC 3164, where a hostname is required. That RFC is no
standard, so it is OK to send without hostname. The bad news is that
there is nothing inside the message that you can use to detect if there
is a hostname present or not. The only solution I can think of is to
have the ability to configure custom parsers based on e.g. the message
sender. This is something that rsyslogd currently does not do. So for
the time being, the BSD syslog messages will have the TAG in the
HOSTNAME field. In many cases, you can probably live with that,
especially if you custom-format the templates and apply them on a
per-sender basis. The other alternative is to install rsyslogd on the
senders, too, because that will obviously relieve you of this issue.

So, I have mixed news ;) I hope it is still useful for you.

Rainer

On Fri, 2005-10-28 at 14:54, Dusty Hall wrote:
> Rainer,
>
> First off, I really appreciate your help with this...
>
> I just got through trying both ideas but neither work :(. It seg
> faulted in the same place.
>
> I tried running the daemon a little different here and it actually
> caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write it to the
> log,
> thoughts?
>
> /usr/sbin/rsyslogd -d -n -r 0 -l xxx.xxx.xxx.xxx (this version has
> both
> revisions applied)
>
> Calling selet, active file descriptors (max 12): 3 12
>
> Successful select, descriptor count = 1, Activity on: 12
> Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx
> Message length: 47, File descriptor: 12.
> logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct 28 07:48:38
> snort: GLOBAL CONFIG
> Segmentation fault
>
>
> server messages file:
> -----
> Oct 28 07:48:38 snort: Writing PID "47582" to file
> "/var/run//snort_fxp0.pid"
> Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf
> Oct 28 07:48:38 snort: ,-----------[Flow Config]----------------------
> Oct 28 07:48:38 snort: | Stats Interval: 0
> Oct 28 07:48:38 snort: | Hash Method: 2
> Oct 28 07:48:38 snort: | Memcap: 10485760
> Oct 28 07:48:38 snort: | Rows : 4099
> Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16)
> Oct 28 07:48:38 snort: `----------------------------------------------
> Oct 28 07:48:38 snort: HttpInspect Config:
>
>
>
> >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>>
> Dusty,
>
> after some more testing, I am now back to thinking that the printf()
> is
> just a cosmetic problem. The code I was suspecting to have a bug
> actually is OK.
>
> Anyhow, could you please replace the printf at the start of logmsg().
> The new version is:
>
> dprintf("logmsg: %s, flags %x, from '%s', msg %s\n",
> textpri(pri), flags, getRcvFrom(pMsg), msg);
>
> This is all on one line. Search for "logmsg:" in the code, that will
> show you only the to-be-replaced line.
>
> I think the problem will persist after applying this patch.
>
> If so, I now suspect there is a problem with multithreading. It is
> experimental, and that everything works well in my lab does not really
> mean it will in practice. So if the bug persists, I would like you to
> disable multitasking. This is easy. Just go to your Makefile and find
> FEATURE_PTHREADS. Switch that from 1 to 0. Then, run
>
> make clean
> make
> make install
>
> After that, rsyslogd will run in single-threading mode. Please let me
> know if the error then persists, too.
>
> Please let me know the outcome.
>
> Rainer
>
> On Fri, 2005-10-28 at 08:46, Rainer Gerhards wrote:
> > Hi Dusty,
> >
> > I first thought this were just a cosmetic problem with the printf.
> After
> > some review, I think the non-parsable hostname is really causing the
> > segfault. I have to admit I am a bit puzzled this did not show up
> > earlier. Anyhow, I'll see that I can do something against it today.
> >
> > Rainer
> >
> > On Fri, 2005-10-28 at 00:07, Dusty Hall wrote:
> > > I'm having a problem with rsyslogd seg faulting. The daemon
> (1.12.0) is
> > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It
> doesn't
> > > seem to catch the name from the clients leading to a seg fault.
> Ideas,
> > > workarounds? Any help would be greatly appreciated!
> > >
> > >
> > > -Dusty
> > >
> > >
> > > # /usr/sbin/rsyslogd -d -r 0 -n
> > > ......
> > > -1208042912: Message from UDP inetd socket: #12, host:
> xxx.xxx.xxx.xxx
> > > -1208042912: Message length: 46, File descriptor: 12.
> > > -1208042912: logmsg: daemon.notice<29>, flags 2, from (null), msg
> Oct 27
> > > 16:15:38 snort: GLOBAL CONFIG
> > > Segmentation fault
> > >
> > >
> > > server messages file contains:
> > > ----------
> > > Oct 27 16:15:39 snort: ,-----------[Flow
> Config]----------------------
> > > Oct 27 16:15:39 snort: | Stats Interval: 0
> > > Oct 27 16:15:39 snort: | Hash Method: 2
> > > Oct 27 16:15:39 snort: | Memcap: 10485760
> > > Oct 27 16:15:39 snort: | Rows : 4099
> > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31)
> > > Oct 27 16:15:39 snort:
> `----------------------------------------------
> > > Oct 27 16:15:39 snort: HttpInspect Config:
> > >
> > >
> > > client messages file contains:
> > > ---------
> > > Oct 27 10:00:03 fred snort: ,-----------[Flow
> > > Config]----------------------
> > > Oct 27 10:00:03 fred snort: | Stats Interval: 0
> > > Oct 27 10:00:03 fred snort: | Hash Method: 2
> > > Oct 27 10:00:03 fred snort: | Memcap: 10485760
> > > Oct 27 10:00:03 fred snort: | Rows : 4099
> > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31)
> > > Oct 27 10:00:03 fred snort:
> > > `----------------------------------------------
> > > Oct 27 10:00:03 fred snort: HttpInspect Config:
> > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG
> > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0
> > > Oct 27 10:00:03 fred snort: Inspection Type:
> STATELESS
> > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO
> > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename:
> > > /etc/nsm/unicode.map
> > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252
> > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG:
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>
>

Rainer,

Thanks for the information. Do you know of any syslog daemons that
follow the correct RFC and are in the FreeBSD ports tree? If not, I'm
going the route of installing rsyslogd on the clients :). Thanks
again!


-Dusty


>>> rgerhards at hq.adiscon.com 11/04/05 10:00 am >>>
Dusty,

this one via the list, because it is of potential interest for others,
too.

Finally, I found the bug. I have to admit I always thought into the
wrong direction. Now that I got that straight, it was actually easy to
spot.

The actual cause is that there is a bug in the syslog TAG assignment
function. To fix this, search for MsgSetTag in syslogd.c. Replace it
with this code:

static void MsgAssignTAG(struct msg *pMsg, char *pBuf)
{
assert(pMsg != NULL);
pMsg- >iLenTAG = (pBuf == NULL) ? 0 : strlen(pBuf);
pMsg- >pszTAG = pBuf;
}

That will fix the abort. HOWEVER... the root cause (as you rightly
said
;)) is that the BSD messages do not contain a host name. rsyslogd
parses
according to RFC 3164, where a hostname is required. That RFC is no
standard, so it is OK to send without hostname. The bad news is that
there is nothing inside the message that you can use to detect if
there
is a hostname present or not. The only solution I can think of is to
have the ability to configure custom parsers based on e.g. the message
sender. This is something that rsyslogd currently does not do. So for
the time being, the BSD syslog messages will have the TAG in the
HOSTNAME field. In many cases, you can probably live with that,
especially if you custom- format the templates and apply them on a
per- sender basis. The other alternative is to install rsyslogd on
the
senders, too, because that will obviously relieve you of this issue.

So, I have mixed news ;) I hope it is still useful for you.

Rainer

On Fri, 2005- 10- 28 at 14:54, Dusty Hall wrote:
> Rainer,
>
> First off, I really appreciate your help with this...
>
> I just got through trying both ideas but neither work :(. It seg
> faulted in the same place.
>
> I tried running the daemon a little different here and it actually
> caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write it to the
> log,
> thoughts?
>
> /usr/sbin/rsyslogd - d - n - r 0 - l xxx.xxx.xxx.xxx (this
version has
> both
> revisions applied)
>
> Calling selet, active file descriptors (max 12): 3 12
>
> Successful select, descriptor count = 1, Activity on: 12
> Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx
> Message length: 47, File descriptor: 12.
> logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct 28 07:48:38
> snort: GLOBAL CONFIG
> Segmentation fault
>
>
> server messages file:
> -----
> Oct 28 07:48:38 snort: Writing PID "47582" to file
> "/var/run//snort_fxp0.pid"
> Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf
> Oct 28 07:48:38 snort: ,----------- [Flow
Config]----------------------
> Oct 28 07:48:38 snort: | Stats Interval: 0
> Oct 28 07:48:38 snort: | Hash Method: 2
> Oct 28 07:48:38 snort: | Memcap: 10485760
> Oct 28 07:48:38 snort: | Rows : 4099
> Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16)
> Oct 28 07:48:38 snort:
`----------------------------------------------
> Oct 28 07:48:38 snort: HttpInspect Config:
>
>
>
> >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>>
> Dusty,
>
> after some more testing, I am now back to thinking that the printf()
> is
> just a cosmetic problem. The code I was suspecting to have a bug
> actually is OK.
>
> Anyhow, could you please replace the printf at the start of
logmsg().
> The new version is:
>
> dprintf("logmsg: %s, flags %x, from '%s', msg %s\n",
> textpri(pri), flags, getRcvFrom(pMsg), msg);
>
> This is all on one line. Search for "logmsg:" in the code, that will
> show you only the to- be- replaced line.
>
> I think the problem will persist after applying this patch.
>
> If so, I now suspect there is a problem with multithreading. It is
> experimental, and that everything works well in my lab does not
really
> mean it will in practice. So if the bug persists, I would like you
to
> disable multitasking. This is easy. Just go to your Makefile and
find
> FEATURE_PTHREADS. Switch that from 1 to 0. Then, run
>
> make clean
> make
> make install
>
> After that, rsyslogd will run in single- threading mode. Please let
me
> know if the error then persists, too.
>
> Please let me know the outcome.
>
> Rainer
>
> On Fri, 2005- 10- 28 at 08:46, Rainer Gerhards wrote:
> > Hi Dusty,
> >
> > I first thought this were just a cosmetic problem with the printf.
> After
> > some review, I think the non- parsable hostname is really causing
the
> > segfault. I have to admit I am a bit puzzled this did not show up
> > earlier. Anyhow, I'll see that I can do something against it
today.
> >
> > Rainer
> >
> > On Fri, 2005- 10- 28 at 00:07, Dusty Hall wrote:
> > > I'm having a problem with rsyslogd seg faulting. The daemon
> (1.12.0) is
> > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It
> doesn't
> > > seem to catch the name from the clients leading to a seg fault.
> Ideas,
> > > workarounds? Any help would be greatly appreciated!
> > >
> > >
> > > - Dusty
> > >
> > >
> > > # /usr/sbin/rsyslogd - d - r 0 - n
> > > ......
> > > - 1208042912: Message from UDP inetd socket: #12, host:
> xxx.xxx.xxx.xxx
> > > - 1208042912: Message length: 46, File descriptor: 12.
> > > - 1208042912: logmsg: daemon.notice<29>, flags 2, from (null),
msg
> Oct 27
> > > 16:15:38 snort: GLOBAL CONFIG
> > > Segmentation fault
> > >
> > >
> > > server messages file contains:
> > > ----------
> > > Oct 27 16:15:39 snort: ,----------- [Flow
> Config]----------------------
> > > Oct 27 16:15:39 snort: | Stats Interval: 0
> > > Oct 27 16:15:39 snort: | Hash Method: 2
> > > Oct 27 16:15:39 snort: | Memcap: 10485760
> > > Oct 27 16:15:39 snort: | Rows : 4099
> > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31)
> > > Oct 27 16:15:39 snort:
> `----------------------------------------------
> > > Oct 27 16:15:39 snort: HttpInspect Config:
> > >
> > >
> > > client messages file contains:
> > > ---------
> > > Oct 27 10:00:03 fred snort: ,----------- [Flow
> > > Config]----------------------
> > > Oct 27 10:00:03 fred snort: | Stats Interval: 0
> > > Oct 27 10:00:03 fred snort: | Hash Method: 2
> > > Oct 27 10:00:03 fred snort: | Memcap: 10485760
> > > Oct 27 10:00:03 fred snort: | Rows : 4099
> > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31)
> > > Oct 27 10:00:03 fred snort:
> > > `----------------------------------------------
> > > Oct 27 10:00:03 fred snort: HttpInspect Config:
> > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG
> > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0
> > > Oct 27 10:00:03 fred snort: Inspection Type:
> STATELESS
> > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO
> > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename:
> > > /etc/nsm/unicode.map
> > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252
> > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG:
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>
>

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog

Dusty,

Unfortunately, I do not know of any one. And I do not want to create a
wrong impression: RFC 3164 is not a standard but rather an informational
document. So nothing is haremd by not following it. The issue is "just"
that without that header format we can not process it. I am currently
involved in work at the IETF that struggles to get a standard RFC
together. As it looks currently, that RFC will be very close to RFC
3164. So it is not bad to plan somewhat ahead ;)

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com
> [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Dusty Hall
> Sent: Wednesday, November 09, 2005 5:53 PM
> To: rsyslog at lists.adiscon.com
> Subject: Re: [rsyslog] 1.12.0 - Seg Faults
>
>
> Rainer,
>
> Thanks for the information. Do you know of any syslog
> daemons that follow the correct RFC and are in the FreeBSD
> ports tree? If not, I'm going the route of installing
> rsyslogd on the clients :). Thanks again!
>
>
> -Dusty
>
>
> >>> rgerhards at hq.adiscon.com 11/04/05 10:00 am >>>
> Dusty,
>
> this one via the list, because it is of potential interest for others,
> too.
>
> Finally, I found the bug. I have to admit I always thought into the
> wrong direction. Now that I got that straight, it was actually easy to
> spot.
>
> The actual cause is that there is a bug in the syslog TAG assignment
> function. To fix this, search for MsgSetTag in syslogd.c. Replace it
> with this code:
>
> static void MsgAssignTAG(struct msg *pMsg, char *pBuf)
> {
> assert(pMsg != NULL);
> pMsg- >iLenTAG = (pBuf == NULL) ? 0 : strlen(pBuf);
> pMsg- >pszTAG = pBuf;
> }
>
> That will fix the abort. HOWEVER... the root cause (as you rightly
> said
> ;)) is that the BSD messages do not contain a host name. rsyslogd
> parses
> according to RFC 3164, where a hostname is required. That RFC is no
> standard, so it is OK to send without hostname. The bad news is that
> there is nothing inside the message that you can use to detect if
> there
> is a hostname present or not. The only solution I can think of is to
> have the ability to configure custom parsers based on e.g. the message
> sender. This is something that rsyslogd currently does not do. So for
> the time being, the BSD syslog messages will have the TAG in the
> HOSTNAME field. In many cases, you can probably live with that,
> especially if you custom- format the templates and apply them on a
> per- sender basis. The other alternative is to install rsyslogd on
> the
> senders, too, because that will obviously relieve you of this issue.
>
> So, I have mixed news ;) I hope it is still useful for you.
>
> Rainer
>
> On Fri, 2005- 10- 28 at 14:54, Dusty Hall wrote:
> > Rainer,
> >
> > First off, I really appreciate your help with this...
> >
> > I just got through trying both ideas but neither work :(. It seg
> > faulted in the same place.
> >
> > I tried running the daemon a little different here and it actually
> > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write it to the
> > log,
> > thoughts?
> >
> > /usr/sbin/rsyslogd - d - n - r 0 - l xxx.xxx.xxx.xxx (this
> version has
> > both
> > revisions applied)
> >
> > Calling selet, active file descriptors (max 12): 3 12
> >
> > Successful select, descriptor count = 1, Activity on: 12
> > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx
> > Message length: 47, File descriptor: 12.
> > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct 28 07:48:38
> > snort: GLOBAL CONFIG
> > Segmentation fault
> >
> >
> > server messages file:
> > -----
> > Oct 28 07:48:38 snort: Writing PID "47582" to file
> > "/var/run//snort_fxp0.pid"
> > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf
> > Oct 28 07:48:38 snort: ,----------- [Flow
> Config]----------------------
> > Oct 28 07:48:38 snort: | Stats Interval: 0
> > Oct 28 07:48:38 snort: | Hash Method: 2
> > Oct 28 07:48:38 snort: | Memcap: 10485760
> > Oct 28 07:48:38 snort: | Rows : 4099
> > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16)
> > Oct 28 07:48:38 snort:
> `----------------------------------------------
> > Oct 28 07:48:38 snort: HttpInspect Config:
> >
> >
> >
> > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>>
> > Dusty,
> >
> > after some more testing, I am now back to thinking that the printf()
> > is
> > just a cosmetic problem. The code I was suspecting to have a bug
> > actually is OK.
> >
> > Anyhow, could you please replace the printf at the start of
> logmsg().
> > The new version is:
> >
> > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n",
> > textpri(pri), flags, getRcvFrom(pMsg), msg);
> >
> > This is all on one line. Search for "logmsg:" in the code, that will
> > show you only the to- be- replaced line.
> >
> > I think the problem will persist after applying this patch.
> >
> > If so, I now suspect there is a problem with multithreading. It is
> > experimental, and that everything works well in my lab does not
> really
> > mean it will in practice. So if the bug persists, I would like you
> to
> > disable multitasking. This is easy. Just go to your Makefile and
> find
> > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run
> >
> > make clean
> > make
> > make install
> >
> > After that, rsyslogd will run in single- threading mode. Please let
> me
> > know if the error then persists, too.
> >
> > Please let me know the outcome.
> >
> > Rainer
> >
> > On Fri, 2005- 10- 28 at 08:46, Rainer Gerhards wrote:
> > > Hi Dusty,
> > >
> > > I first thought this were just a cosmetic problem with the printf.
> > After
> > > some review, I think the non- parsable hostname is really causing
> the
> > > segfault. I have to admit I am a bit puzzled this did not show up
> > > earlier. Anyhow, I'll see that I can do something against it
> today.
> > >
> > > Rainer
> > >
> > > On Fri, 2005- 10- 28 at 00:07, Dusty Hall wrote:
> > > > I'm having a problem with rsyslogd seg faulting. The daemon
> > (1.12.0) is
> > > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It
> > doesn't
> > > > seem to catch the name from the clients leading to a seg fault.
> > Ideas,
> > > > workarounds? Any help would be greatly appreciated!
> > > >
> > > >
> > > > - Dusty
> > > >
> > > >
> > > > # /usr/sbin/rsyslogd - d - r 0 - n
> > > > ......
> > > > - 1208042912: Message from UDP inetd socket: #12, host:
> > xxx.xxx.xxx.xxx
> > > > - 1208042912: Message length: 46, File descriptor: 12.
> > > > - 1208042912: logmsg: daemon.notice<29>, flags 2, from (null),
> msg
> > Oct 27
> > > > 16:15:38 snort: GLOBAL CONFIG
> > > > Segmentation fault
> > > >
> > > >
> > > > server messages file contains:
> > > > ----------
> > > > Oct 27 16:15:39 snort: ,----------- [Flow
> > Config]----------------------
> > > > Oct 27 16:15:39 snort: | Stats Interval: 0
> > > > Oct 27 16:15:39 snort: | Hash Method: 2
> > > > Oct 27 16:15:39 snort: | Memcap: 10485760
> > > > Oct 27 16:15:39 snort: | Rows : 4099
> > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31)
> > > > Oct 27 16:15:39 snort:
> > `----------------------------------------------
> > > > Oct 27 16:15:39 snort: HttpInspect Config:
> > > >
> > > >
> > > > client messages file contains:
> > > > ---------
> > > > Oct 27 10:00:03 fred snort: ,----------- [Flow
> > > > Config]----------------------
> > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0
> > > > Oct 27 10:00:03 fred snort: | Hash Method: 2
> > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760
> > > > Oct 27 10:00:03 fred snort: | Rows : 4099
> > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31)
> > > > Oct 27 10:00:03 fred snort:
> > > > `----------------------------------------------
> > > > Oct 27 10:00:03 fred snort: HttpInspect Config:
> > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG
> > > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0
> > > > Oct 27 10:00:03 fred snort: Inspection Type:
> > STATELESS
> > > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO
> > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename:
> > > > /etc/nsm/unicode.map
> > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Codepage: 1252
> > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG:
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > >
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >
> >
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>

Dusty,

I think I replied too soon ;) I've had another round of hard thinking on
the parsing issue. Though I do not yet have anything definite, I have
the impression that there is a way to make the parser smart enough to
handle BSD messages. So if you can wait a little longer, it might be
wise to do so...

On the route to the solution a question: The non-BSD systems you have:
are they using rsyslogd or any other syslogd? Basically, I am interested
to know if their messages contain the hostname and, if so, if the
message was generated by rsyslog (one of the solution I have in mind is
an extension that would only work if the hostnames are only present in
messages sent from rsyslog).

Feedback appreciated.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com
> [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of
> Rainer Gerhards
> Sent: Wednesday, November 09, 2005 9:29 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] 1.12.0 - Seg Faults
>
> Dusty,
>
> Unfortunately, I do not know of any one. And I do not want to create a
> wrong impression: RFC 3164 is not a standard but rather an
> informational
> document. So nothing is haremd by not following it. The issue
> is "just"
> that without that header format we can not process it. I am currently
> involved in work at the IETF that struggles to get a standard RFC
> together. As it looks currently, that RFC will be very close to RFC
> 3164. So it is not bad to plan somewhat ahead ;)
>
> Rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces at lists.adiscon.com
> > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Dusty Hall
> > Sent: Wednesday, November 09, 2005 5:53 PM
> > To: rsyslog at lists.adiscon.com
> > Subject: Re: [rsyslog] 1.12.0 - Seg Faults
> >
> >
> > Rainer,
> >
> > Thanks for the information. Do you know of any syslog
> > daemons that follow the correct RFC and are in the FreeBSD
> > ports tree? If not, I'm going the route of installing
> > rsyslogd on the clients :). Thanks again!
> >
> >
> > -Dusty
> >
> >
> > >>> rgerhards at hq.adiscon.com 11/04/05 10:00 am >>>
> > Dusty,
> >
> > this one via the list, because it is of potential interest
> for others,
> > too.
> >
> > Finally, I found the bug. I have to admit I always thought into the
> > wrong direction. Now that I got that straight, it was
> actually easy to
> > spot.
> >
> > The actual cause is that there is a bug in the syslog TAG assignment
> > function. To fix this, search for MsgSetTag in syslogd.c. Replace it
> > with this code:
> >
> > static void MsgAssignTAG(struct msg *pMsg, char *pBuf)
> > {
> > assert(pMsg != NULL);
> > pMsg- >iLenTAG = (pBuf == NULL) ? 0 : strlen(pBuf);
> > pMsg- >pszTAG = pBuf;
> > }
> >
> > That will fix the abort. HOWEVER... the root cause (as you rightly
> > said
> > ;)) is that the BSD messages do not contain a host name. rsyslogd
> > parses
> > according to RFC 3164, where a hostname is required. That RFC is no
> > standard, so it is OK to send without hostname. The bad news is that
> > there is nothing inside the message that you can use to detect if
> > there
> > is a hostname present or not. The only solution I can think of is to
> > have the ability to configure custom parsers based on e.g.
> the message
> > sender. This is something that rsyslogd currently does not
> do. So for
> > the time being, the BSD syslog messages will have the TAG in the
> > HOSTNAME field. In many cases, you can probably live with that,
> > especially if you custom- format the templates and apply them on a
> > per- sender basis. The other alternative is to install rsyslogd on
> > the
> > senders, too, because that will obviously relieve you of this issue.
> >
> > So, I have mixed news ;) I hope it is still useful for you.
> >
> > Rainer
> >
> > On Fri, 2005- 10- 28 at 14:54, Dusty Hall wrote:
> > > Rainer,
> > >
> > > First off, I really appreciate your help with this...
> > >
> > > I just got through trying both ideas but neither work
> :(. It seg
> > > faulted in the same place.
> > >
> > > I tried running the daemon a little different here and
> it actually
> > > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write
> it to the
> > > log,
> > > thoughts?
> > >
> > > /usr/sbin/rsyslogd - d - n - r 0 - l xxx.xxx.xxx.xxx (this
> > version has
> > > both
> > > revisions applied)
> > >
> > > Calling selet, active file descriptors (max 12): 3 12
> > >
> > > Successful select, descriptor count = 1, Activity on: 12
> > > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx
> > > Message length: 47, File descriptor: 12.
> > > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct
> 28 07:48:38
> > > snort: GLOBAL CONFIG
> > > Segmentation fault
> > >
> > >
> > > server messages file:
> > > -----
> > > Oct 28 07:48:38 snort: Writing PID "47582" to file
> > > "/var/run//snort_fxp0.pid"
> > > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf
> > > Oct 28 07:48:38 snort: ,----------- [Flow
> > Config]----------------------
> > > Oct 28 07:48:38 snort: | Stats Interval: 0
> > > Oct 28 07:48:38 snort: | Hash Method: 2
> > > Oct 28 07:48:38 snort: | Memcap: 10485760
> > > Oct 28 07:48:38 snort: | Rows : 4099
> > > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16)
> > > Oct 28 07:48:38 snort:
> > `----------------------------------------------
> > > Oct 28 07:48:38 snort: HttpInspect Config:
> > >
> > >
> > >
> > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>>
> > > Dusty,
> > >
> > > after some more testing, I am now back to thinking that
> the printf()
> > > is
> > > just a cosmetic problem. The code I was suspecting to have a bug
> > > actually is OK.
> > >
> > > Anyhow, could you please replace the printf at the start of
> > logmsg().
> > > The new version is:
> > >
> > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n",
> > > textpri(pri), flags, getRcvFrom(pMsg), msg);
> > >
> > > This is all on one line. Search for "logmsg:" in the
> code, that will
> > > show you only the to- be- replaced line.
> > >
> > > I think the problem will persist after applying this patch.
> > >
> > > If so, I now suspect there is a problem with multithreading. It is
> > > experimental, and that everything works well in my lab does not
> > really
> > > mean it will in practice. So if the bug persists, I would like you
> > to
> > > disable multitasking. This is easy. Just go to your Makefile and
> > find
> > > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run
> > >
> > > make clean
> > > make
> > > make install
> > >
> > > After that, rsyslogd will run in single- threading mode.
> Please let
> > me
> > > know if the error then persists, too.
> > >
> > > Please let me know the outcome.
> > >
> > > Rainer
> > >
> > > On Fri, 2005- 10- 28 at 08:46, Rainer Gerhards wrote:
> > > > Hi Dusty,
> > > >
> > > > I first thought this were just a cosmetic problem with
> the printf.
> > > After
> > > > some review, I think the non- parsable hostname is
> really causing
> > the
> > > > segfault. I have to admit I am a bit puzzled this did
> not show up
> > > > earlier. Anyhow, I'll see that I can do something against it
> > today.
> > > >
> > > > Rainer
> > > >
> > > > On Fri, 2005- 10- 28 at 00:07, Dusty Hall wrote:
> > > > > I'm having a problem with rsyslogd seg faulting. The daemon
> > > (1.12.0) is
> > > > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It
> > > doesn't
> > > > > seem to catch the name from the clients leading to a
> seg fault.
> > > Ideas,
> > > > > workarounds? Any help would be greatly appreciated!
> > > > >
> > > > >
> > > > > - Dusty
> > > > >
> > > > >
> > > > > # /usr/sbin/rsyslogd - d - r 0 - n
> > > > > ......
> > > > > - 1208042912: Message from UDP inetd socket: #12, host:
> > > xxx.xxx.xxx.xxx
> > > > > - 1208042912: Message length: 46, File descriptor: 12.
> > > > > - 1208042912: logmsg: daemon.notice<29>, flags 2,
> from (null),
> > msg
> > > Oct 27
> > > > > 16:15:38 snort: GLOBAL CONFIG
> > > > > Segmentation fault
> > > > >
> > > > >
> > > > > server messages file contains:
> > > > > ----------
> > > > > Oct 27 16:15:39 snort: ,----------- [Flow
> > > Config]----------------------
> > > > > Oct 27 16:15:39 snort: | Stats Interval: 0
> > > > > Oct 27 16:15:39 snort: | Hash Method: 2
> > > > > Oct 27 16:15:39 snort: | Memcap: 10485760
> > > > > Oct 27 16:15:39 snort: | Rows : 4099
> > > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31)
> > > > > Oct 27 16:15:39 snort:
> > > `----------------------------------------------
> > > > > Oct 27 16:15:39 snort: HttpInspect Config:
> > > > >
> > > > >
> > > > > client messages file contains:
> > > > > ---------
> > > > > Oct 27 10:00:03 fred snort: ,----------- [Flow
> > > > > Config]----------------------
> > > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0
> > > > > Oct 27 10:00:03 fred snort: | Hash Method: 2
> > > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760
> > > > > Oct 27 10:00:03 fred snort: | Rows : 4099
> > > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31)
> > > > > Oct 27 10:00:03 fred snort:
> > > > > `----------------------------------------------
> > > > > Oct 27 10:00:03 fred snort: HttpInspect Config:
> > > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG
> > > > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0
> > > > > Oct 27 10:00:03 fred snort: Inspection Type:
> > > STATELESS
> > > > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO
> > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename:
> > > > > /etc/nsm/unicode.map
> > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map
> Codepage: 1252
> > > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG:
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > rsyslog mailing list
> > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > >
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > >
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > >
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > >
> > >
> >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >
> >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>

Dusty,

actually, now that I had thought about what can be done, implementing it
was straightforward (surprisingly easy actually). Sometimes it pays to
think a little bit harder ;)

Anyhow... While it works in my lab, there is a certain part of guesswork
involved. I am not sure if it will work in your environment. I will send
you an updated syslogd.c via private mail, I'd appreciate if you could
give it a try.

Rainer
On Thu, 2005-11-10 at 09:05, Rainer Gerhards wrote:
> Dusty,
>
> I think I replied too soon ;) I've had another round of hard thinking on
> the parsing issue. Though I do not yet have anything definite, I have
> the impression that there is a way to make the parser smart enough to
> handle BSD messages. So if you can wait a little longer, it might be
> wise to do so...
>
> On the route to the solution a question: The non-BSD systems you have:
> are they using rsyslogd or any other syslogd? Basically, I am interested
> to know if their messages contain the hostname and, if so, if the
> message was generated by rsyslog (one of the solution I have in mind is
> an extension that would only work if the hostnames are only present in
> messages sent from rsyslog).
>
> Feedback appreciated.
>
> Rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces at lists.adiscon.com
> > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of
> > Rainer Gerhards
> > Sent: Wednesday, November 09, 2005 9:29 PM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] 1.12.0 - Seg Faults
> >
> > Dusty,
> >
> > Unfortunately, I do not know of any one. And I do not want to create a
> > wrong impression: RFC 3164 is not a standard but rather an
> > informational
> > document. So nothing is haremd by not following it. The issue
> > is "just"
> > that without that header format we can not process it. I am currently
> > involved in work at the IETF that struggles to get a standard RFC
> > together. As it looks currently, that RFC will be very close to RFC
> > 3164. So it is not bad to plan somewhat ahead ;)
> >
> > Rainer
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces at lists.adiscon.com
> > > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of Dusty Hall
> > > Sent: Wednesday, November 09, 2005 5:53 PM
> > > To: rsyslog at lists.adiscon.com
> > > Subject: Re: [rsyslog] 1.12.0 - Seg Faults
> > >
> > >
> > > Rainer,
> > >
> > > Thanks for the information. Do you know of any syslog
> > > daemons that follow the correct RFC and are in the FreeBSD
> > > ports tree? If not, I'm going the route of installing
> > > rsyslogd on the clients :). Thanks again!
> > >
> > >
> > > -Dusty
> > >
> > >
> > > >>> rgerhards at hq.adiscon.com 11/04/05 10:00 am >>>
> > > Dusty,
> > >
> > > this one via the list, because it is of potential interest
> > for others,
> > > too.
> > >
> > > Finally, I found the bug. I have to admit I always thought into the
> > > wrong direction. Now that I got that straight, it was
> > actually easy to
> > > spot.
> > >
> > > The actual cause is that there is a bug in the syslog TAG assignment
> > > function. To fix this, search for MsgSetTag in syslogd.c. Replace it
> > > with this code:
> > >
> > > static void MsgAssignTAG(struct msg *pMsg, char *pBuf)
> > > {
> > > assert(pMsg != NULL);
> > > pMsg- >iLenTAG = (pBuf == NULL) ? 0 : strlen(pBuf);
> > > pMsg- >pszTAG = pBuf;
> > > }
> > >
> > > That will fix the abort. HOWEVER... the root cause (as you rightly
> > > said
> > > ;)) is that the BSD messages do not contain a host name. rsyslogd
> > > parses
> > > according to RFC 3164, where a hostname is required. That RFC is no
> > > standard, so it is OK to send without hostname. The bad news is that
> > > there is nothing inside the message that you can use to detect if
> > > there
> > > is a hostname present or not. The only solution I can think of is to
> > > have the ability to configure custom parsers based on e.g.
> > the message
> > > sender. This is something that rsyslogd currently does not
> > do. So for
> > > the time being, the BSD syslog messages will have the TAG in the
> > > HOSTNAME field. In many cases, you can probably live with that,
> > > especially if you custom- format the templates and apply them on a
> > > per- sender basis. The other alternative is to install rsyslogd on
> > > the
> > > senders, too, because that will obviously relieve you of this issue.
> > >
> > > So, I have mixed news ;) I hope it is still useful for you.
> > >
> > > Rainer
> > >
> > > On Fri, 2005- 10- 28 at 14:54, Dusty Hall wrote:
> > > > Rainer,
> > > >
> > > > First off, I really appreciate your help with this...
> > > >
> > > > I just got through trying both ideas but neither work
> > :(. It seg
> > > > faulted in the same place.
> > > >
> > > > I tried running the daemon a little different here and
> > it actually
> > > > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write
> > it to the
> > > > log,
> > > > thoughts?
> > > >
> > > > /usr/sbin/rsyslogd - d - n - r 0 - l xxx.xxx.xxx.xxx (this
> > > version has
> > > > both
> > > > revisions applied)
> > > >
> > > > Calling selet, active file descriptors (max 12): 3 12
> > > >
> > > > Successful select, descriptor count = 1, Activity on: 12
> > > > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx
> > > > Message length: 47, File descriptor: 12.
> > > > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct
> > 28 07:48:38
> > > > snort: GLOBAL CONFIG
> > > > Segmentation fault
> > > >
> > > >
> > > > server messages file:
> > > > -----
> > > > Oct 28 07:48:38 snort: Writing PID "47582" to file
> > > > "/var/run//snort_fxp0.pid"
> > > > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf
> > > > Oct 28 07:48:38 snort: ,----------- [Flow
> > > Config]----------------------
> > > > Oct 28 07:48:38 snort: | Stats Interval: 0
> > > > Oct 28 07:48:38 snort: | Hash Method: 2
> > > > Oct 28 07:48:38 snort: | Memcap: 10485760
> > > > Oct 28 07:48:38 snort: | Rows : 4099
> > > > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16)
> > > > Oct 28 07:48:38 snort:
> > > `----------------------------------------------
> > > > Oct 28 07:48:38 snort: HttpInspect Config:
> > > >
> > > >
> > > >
> > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>>
> > > > Dusty,
> > > >
> > > > after some more testing, I am now back to thinking that
> > the printf()
> > > > is
> > > > just a cosmetic problem. The code I was suspecting to have a bug
> > > > actually is OK.
> > > >
> > > > Anyhow, could you please replace the printf at the start of
> > > logmsg().
> > > > The new version is:
> > > >
> > > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n",
> > > > textpri(pri), flags, getRcvFrom(pMsg), msg);
> > > >
> > > > This is all on one line. Search for "logmsg:" in the
> > code, that will
> > > > show you only the to- be- replaced line.
> > > >
> > > > I think the problem will persist after applying this patch.
> > > >
> > > > If so, I now suspect there is a problem with multithreading. It is
> > > > experimental, and that everything works well in my lab does not
> > > really
> > > > mean it will in practice. So if the bug persists, I would like you
> > > to
> > > > disable multitasking. This is easy. Just go to your Makefile and
> > > find
> > > > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run
> > > >
> > > > make clean
> > > > make
> > > > make install
> > > >
> > > > After that, rsyslogd will run in single- threading mode.
> > Please let
> > > me
> > > > know if the error then persists, too.
> > > >
> > > > Please let me know the outcome.
> > > >
> > > > Rainer
> > > >
> > > > On Fri, 2005- 10- 28 at 08:46, Rainer Gerhards wrote:
> > > > > Hi Dusty,
> > > > >
> > > > > I first thought this were just a cosmetic problem with
> > the printf.
> > > > After
> > > > > some review, I think the non- parsable hostname is
> > really causing
> > > the
> > > > > segfault. I have to admit I am a bit puzzled this did
> > not show up
> > > > > earlier. Anyhow, I'll see that I can do something against it
> > > today.
> > > > >
> > > > > Rainer
> > > > >
> > > > > On Fri, 2005- 10- 28 at 00:07, Dusty Hall wrote:
> > > > > > I'm having a problem with rsyslogd seg faulting. The daemon
> > > > (1.12.0) is
> > > > > > running on RHEL 4 and the clients are FreeBSD 4.x & 5.x. It
> > > > doesn't
> > > > > > seem to catch the name from the clients leading to a
> > seg fault.
> > > > Ideas,
> > > > > > workarounds? Any help would be greatly appreciated!
> > > > > >
> > > > > >
> > > > > > - Dusty
> > > > > >
> > > > > >
> > > > > > # /usr/sbin/rsyslogd - d - r 0 - n
> > > > > > ......
> > > > > > - 1208042912: Message from UDP inetd socket: #12, host:
> > > > xxx.xxx.xxx.xxx
> > > > > > - 1208042912: Message length: 46, File descriptor: 12.
> > > > > > - 1208042912: logmsg: daemon.notice<29>, flags 2,
> > from (null),
> > > msg
> > > > Oct 27
> > > > > > 16:15:38 snort: GLOBAL CONFIG
> > > > > > Segmentation fault
> > > > > >
> > > > > >
> > > > > > server messages file contains:
> > > > > > ----------
> > > > > > Oct 27 16:15:39 snort: ,----------- [Flow
> > > > Config]----------------------
> > > > > > Oct 27 16:15:39 snort: | Stats Interval: 0
> > > > > > Oct 27 16:15:39 snort: | Hash Method: 2
> > > > > > Oct 27 16:15:39 snort: | Memcap: 10485760
> > > > > > Oct 27 16:15:39 snort: | Rows : 4099
> > > > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31)
> > > > > > Oct 27 16:15:39 snort:
> > > > `----------------------------------------------
> > > > > > Oct 27 16:15:39 snort: HttpInspect Config:
> > > > > >
> > > > > >
> > > > > > client messages file contains:
> > > > > > ---------
> > > > > > Oct 27 10:00:03 fred snort: ,----------- [Flow
> > > > > > Config]----------------------
> > > > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0
> > > > > > Oct 27 10:00:03 fred snort: | Hash Method: 2
> > > > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760
> > > > > > Oct 27 10:00:03 fred snort: | Rows : 4099
> > > > > > Oct 27 10:00:03 fred snort: | Overhead Bytes: 32800(%0.31)
> > > > > > Oct 27 10:00:03 fred snort:
> > > > > > `----------------------------------------------
> > > > > > Oct 27 10:00:03 fred snort: HttpInspect Config:
> > > > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG
> > > > > > Oct 27 10:00:03 fred snort: Max Pipeline Requests: 0
> > > > > > Oct 27 10:00:03 fred snort: Inspection Type:
> > > > STATELESS
> > > > > > Oct 27 10:00:03 fred snort: Detect Proxy Usage: NO
> > > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map Filename:
> > > > > > /etc/nsm/unicode.map
> > > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map
> > Codepage: 1252
> > > > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG:
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > rsyslog mailing list
> > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > >
> > > > > _______________________________________________
> > > > > rsyslog mailing list
> > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > >
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > >
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > >
> > > >
> > >
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > >
> > >
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog

An update to the mailing list: I have worked with Dusty on further
improvements of the algorithm. As it looks currently, the new algo
properly detects messages without hostnames in them and processes them
accordingly. Currently, this functionality is only available via the CVS
server. I plan to release an official package some time next week, which
will then include that functionality. In the mean time, use anonymous
CVS.

Rainer

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com
> [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of
> Rainer Gerhards
> Sent: Thursday, November 10, 2005 9:38 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] 1.12.0 - Seg Faults
>
> Dusty,
>
> actually, now that I had thought about what can be done,
> implementing it
> was straightforward (surprisingly easy actually). Sometimes it pays to
> think a little bit harder ;)
>
> Anyhow... While it works in my lab, there is a certain part
> of guesswork
> involved. I am not sure if it will work in your environment.
> I will send
> you an updated syslogd.c via private mail, I'd appreciate if you could
> give it a try.
>
> Rainer
> On Thu, 2005-11-10 at 09:05, Rainer Gerhards wrote:
> > Dusty,
> >
> > I think I replied too soon ;) I've had another round of
> hard thinking on
> > the parsing issue. Though I do not yet have anything
> definite, I have
> > the impression that there is a way to make the parser smart
> enough to
> > handle BSD messages. So if you can wait a little longer, it might be
> > wise to do so...
> >
> > On the route to the solution a question: The non-BSD
> systems you have:
> > are they using rsyslogd or any other syslogd? Basically, I
> am interested
> > to know if their messages contain the hostname and, if so, if the
> > message was generated by rsyslog (one of the solution I
> have in mind is
> > an extension that would only work if the hostnames are only
> present in
> > messages sent from rsyslog).
> >
> > Feedback appreciated.
> >
> > Rainer
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces at lists.adiscon.com
> > > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of
> > > Rainer Gerhards
> > > Sent: Wednesday, November 09, 2005 9:29 PM
> > > To: rsyslog-users
> > > Subject: Re: [rsyslog] 1.12.0 - Seg Faults
> > >
> > > Dusty,
> > >
> > > Unfortunately, I do not know of any one. And I do not
> want to create a
> > > wrong impression: RFC 3164 is not a standard but rather an
> > > informational
> > > document. So nothing is haremd by not following it. The issue
> > > is "just"
> > > that without that header format we can not process it. I
> am currently
> > > involved in work at the IETF that struggles to get a standard RFC
> > > together. As it looks currently, that RFC will be very
> close to RFC
> > > 3164. So it is not bad to plan somewhat ahead ;)
> > >
> > > Rainer
> > >
> > > > -----Original Message-----
> > > > From: rsyslog-bounces at lists.adiscon.com
> > > > [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of
> Dusty Hall
> > > > Sent: Wednesday, November 09, 2005 5:53 PM
> > > > To: rsyslog at lists.adiscon.com
> > > > Subject: Re: [rsyslog] 1.12.0 - Seg Faults
> > > >
> > > >
> > > > Rainer,
> > > >
> > > > Thanks for the information. Do you know of any syslog
> > > > daemons that follow the correct RFC and are in the FreeBSD
> > > > ports tree? If not, I'm going the route of installing
> > > > rsyslogd on the clients :). Thanks again!
> > > >
> > > >
> > > > -Dusty
> > > >
> > > >
> > > > >>> rgerhards at hq.adiscon.com 11/04/05 10:00 am >>>
> > > > Dusty,
> > > >
> > > > this one via the list, because it is of potential interest
> > > for others,
> > > > too.
> > > >
> > > > Finally, I found the bug. I have to admit I always
> thought into the
> > > > wrong direction. Now that I got that straight, it was
> > > actually easy to
> > > > spot.
> > > >
> > > > The actual cause is that there is a bug in the syslog
> TAG assignment
> > > > function. To fix this, search for MsgSetTag in
> syslogd.c. Replace it
> > > > with this code:
> > > >
> > > > static void MsgAssignTAG(struct msg *pMsg, char *pBuf)
> > > > {
> > > > assert(pMsg != NULL);
> > > > pMsg- >iLenTAG = (pBuf == NULL) ? 0 : strlen(pBuf);
> > > > pMsg- >pszTAG = pBuf;
> > > > }
> > > >
> > > > That will fix the abort. HOWEVER... the root cause (as
> you rightly
> > > > said
> > > > ;)) is that the BSD messages do not contain a host
> name. rsyslogd
> > > > parses
> > > > according to RFC 3164, where a hostname is required.
> That RFC is no
> > > > standard, so it is OK to send without hostname. The bad
> news is that
> > > > there is nothing inside the message that you can use to
> detect if
> > > > there
> > > > is a hostname present or not. The only solution I can
> think of is to
> > > > have the ability to configure custom parsers based on e.g.
> > > the message
> > > > sender. This is something that rsyslogd currently does not
> > > do. So for
> > > > the time being, the BSD syslog messages will have the TAG in the
> > > > HOSTNAME field. In many cases, you can probably live with that,
> > > > especially if you custom- format the templates and
> apply them on a
> > > > per- sender basis. The other alternative is to install
> rsyslogd on
> > > > the
> > > > senders, too, because that will obviously relieve you
> of this issue.
> > > >
> > > > So, I have mixed news ;) I hope it is still useful for you.
> > > >
> > > > Rainer
> > > >
> > > > On Fri, 2005- 10- 28 at 14:54, Dusty Hall wrote:
> > > > > Rainer,
> > > > >
> > > > > First off, I really appreciate your help with this...
> > > > >
> > > > > I just got through trying both ideas but neither work
> > > :(. It seg
> > > > > faulted in the same place.
> > > > >
> > > > > I tried running the daemon a little different here and
> > > it actually
> > > > > caught the name (bambam=xxx.xxx.xxx.xxx) but didn't write
> > > it to the
> > > > > log,
> > > > > thoughts?
> > > > >
> > > > > /usr/sbin/rsyslogd - d - n - r 0 - l
> xxx.xxx.xxx.xxx (this
> > > > version has
> > > > > both
> > > > > revisions applied)
> > > > >
> > > > > Calling selet, active file descriptors (max 12): 3 12
> > > > >
> > > > > Successful select, descriptor count = 1, Activity on: 12
> > > > > Message from UDP inetd socket: #12, host: xxx.xxx.xxx.xxx
> > > > > Message length: 47, File descriptor: 12.
> > > > > logmsg: daemon.notice<29>, flags 2, from bambam, msg Oct
> > > 28 07:48:38
> > > > > snort: GLOBAL CONFIG
> > > > > Segmentation fault
> > > > >
> > > > >
> > > > > server messages file:
> > > > > -----
> > > > > Oct 28 07:48:38 snort: Writing PID "47582" to file
> > > > > "/var/run//snort_fxp0.pid"
> > > > > Oct 28 07:48:38 snort: Parsing Rules file /etc/nsm/snort.conf
> > > > > Oct 28 07:48:38 snort: ,----------- [Flow
> > > > Config]----------------------
> > > > > Oct 28 07:48:38 snort: | Stats Interval: 0
> > > > > Oct 28 07:48:38 snort: | Hash Method: 2
> > > > > Oct 28 07:48:38 snort: | Memcap: 10485760
> > > > > Oct 28 07:48:38 snort: | Rows : 4099
> > > > > Oct 28 07:48:38 snort: | Overhead Bytes: 16400(%0.16)
> > > > > Oct 28 07:48:38 snort:
> > > > `----------------------------------------------
> > > > > Oct 28 07:48:38 snort: HttpInspect Config:
> > > > >
> > > > >
> > > > >
> > > > > >>> rgerhards at hq.adiscon.com 10/28/05 2:29 AM >>>
> > > > > Dusty,
> > > > >
> > > > > after some more testing, I am now back to thinking that
> > > the printf()
> > > > > is
> > > > > just a cosmetic problem. The code I was suspecting to
> have a bug
> > > > > actually is OK.
> > > > >
> > > > > Anyhow, could you please replace the printf at the start of
> > > > logmsg().
> > > > > The new version is:
> > > > >
> > > > > dprintf("logmsg: %s, flags %x, from '%s', msg %s\n",
> > > > > textpri(pri), flags, getRcvFrom(pMsg), msg);
> > > > >
> > > > > This is all on one line. Search for "logmsg:" in the
> > > code, that will
> > > > > show you only the to- be- replaced line.
> > > > >
> > > > > I think the problem will persist after applying this patch.
> > > > >
> > > > > If so, I now suspect there is a problem with
> multithreading. It is
> > > > > experimental, and that everything works well in my
> lab does not
> > > > really
> > > > > mean it will in practice. So if the bug persists, I
> would like you
> > > > to
> > > > > disable multitasking. This is easy. Just go to your
> Makefile and
> > > > find
> > > > > FEATURE_PTHREADS. Switch that from 1 to 0. Then, run
> > > > >
> > > > > make clean
> > > > > make
> > > > > make install
> > > > >
> > > > > After that, rsyslogd will run in single- threading mode.
> > > Please let
> > > > me
> > > > > know if the error then persists, too.
> > > > >
> > > > > Please let me know the outcome.
> > > > >
> > > > > Rainer
> > > > >
> > > > > On Fri, 2005- 10- 28 at 08:46, Rainer Gerhards wrote:
> > > > > > Hi Dusty,
> > > > > >
> > > > > > I first thought this were just a cosmetic problem with
> > > the printf.
> > > > > After
> > > > > > some review, I think the non- parsable hostname is
> > > really causing
> > > > the
> > > > > > segfault. I have to admit I am a bit puzzled this did
> > > not show up
> > > > > > earlier. Anyhow, I'll see that I can do something against it
> > > > today.
> > > > > >
> > > > > > Rainer
> > > > > >
> > > > > > On Fri, 2005- 10- 28 at 00:07, Dusty Hall wrote:
> > > > > > > I'm having a problem with rsyslogd seg faulting.
> The daemon
> > > > > (1.12.0) is
> > > > > > > running on RHEL 4 and the clients are FreeBSD 4.x
> & 5.x. It
> > > > > doesn't
> > > > > > > seem to catch the name from the clients leading to a
> > > seg fault.
> > > > > Ideas,
> > > > > > > workarounds? Any help would be greatly appreciated!
> > > > > > >
> > > > > > >
> > > > > > > - Dusty
> > > > > > >
> > > > > > >
> > > > > > > # /usr/sbin/rsyslogd - d - r 0 - n
> > > > > > > ......
> > > > > > > - 1208042912: Message from UDP inetd socket: #12, host:
> > > > > xxx.xxx.xxx.xxx
> > > > > > > - 1208042912: Message length: 46, File descriptor: 12.
> > > > > > > - 1208042912: logmsg: daemon.notice<29>, flags 2,
> > > from (null),
> > > > msg
> > > > > Oct 27
> > > > > > > 16:15:38 snort: GLOBAL CONFIG
> > > > > > > Segmentation fault
> > > > > > >
> > > > > > >
> > > > > > > server messages file contains:
> > > > > > > ----------
> > > > > > > Oct 27 16:15:39 snort: ,----------- [Flow
> > > > > Config]----------------------
> > > > > > > Oct 27 16:15:39 snort: | Stats Interval: 0
> > > > > > > Oct 27 16:15:39 snort: | Hash Method: 2
> > > > > > > Oct 27 16:15:39 snort: | Memcap: 10485760
> > > > > > > Oct 27 16:15:39 snort: | Rows : 4099
> > > > > > > Oct 27 16:15:39 snort: | Overhead Bytes: 32800(%0.31)
> > > > > > > Oct 27 16:15:39 snort:
> > > > > `----------------------------------------------
> > > > > > > Oct 27 16:15:39 snort: HttpInspect Config:
> > > > > > >
> > > > > > >
> > > > > > > client messages file contains:
> > > > > > > ---------
> > > > > > > Oct 27 10:00:03 fred snort: ,----------- [Flow
> > > > > > > Config]----------------------
> > > > > > > Oct 27 10:00:03 fred snort: | Stats Interval: 0
> > > > > > > Oct 27 10:00:03 fred snort: | Hash Method: 2
> > > > > > > Oct 27 10:00:03 fred snort: | Memcap: 10485760
> > > > > > > Oct 27 10:00:03 fred snort: | Rows : 4099
> > > > > > > Oct 27 10:00:03 fred snort: | Overhead Bytes:
> 32800(%0.31)
> > > > > > > Oct 27 10:00:03 fred snort:
> > > > > > > `----------------------------------------------
> > > > > > > Oct 27 10:00:03 fred snort: HttpInspect Config:
> > > > > > > Oct 27 10:00:03 fred snort: GLOBAL CONFIG
> > > > > > > Oct 27 10:00:03 fred snort: Max Pipeline
> Requests: 0
> > > > > > > Oct 27 10:00:03 fred snort: Inspection Type:
> > > > > STATELESS
> > > > > > > Oct 27 10:00:03 fred snort: Detect Proxy
> Usage: NO
> > > > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map
> Filename:
> > > > > > > /etc/nsm/unicode.map
> > > > > > > Oct 27 10:00:03 fred snort: IIS Unicode Map
> > > Codepage: 1252
> > > > > > > Oct 27 10:00:03 fred snort: DEFAULT SERVER CONFIG:
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > rsyslog mailing list
> > > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > >
> > > > > > _______________________________________________
> > > > > > rsyslog mailing list
> > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > >
> > > > > _______________________________________________
> > > > > rsyslog mailing list
> > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > >
> > > > > _______________________________________________
> > > > > rsyslog mailing list
> > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > >
> > > > >
> > > >
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > >
> > > >
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > >
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
>