On 10/23/2017 7:38 PM, deoren wrote:
On 10/23/2017 7:11 PM, David Lang wrote:
do you have a tcpdump or info from Qualys saying what it sends as part
of the scan?
David Lang
Thankfully (for troubleshooting purposes), the problem isn't specific to
the Qualys scan. I later learned that messages coming from our ESXi
hosts trigger the problem as well. It may be that ANY message arriving
on an input where I'm attempting to check for an empty $!origin!hostname
property is enough to trigger the segfault.
That said, the messages sent by the Qualys scan along with messages I've
seen coming from our ESXi hosts are often missing information (such as
the hostname).
I'll do further testing and post back.
According to what I captured with tcpdump, this is what Wireshark
translated the conversation as:
<166>2017-10-24T00:48:08.071Z vms1.example.com Hostd: [23140B70 verbose
'Solo.VmwareCLI' opID=hostd-3963 user=root] Result (type boolean) (wsdl
boolean) (kind 1)
<166>2017-10-24T00:48:08.071Z vms1.example.com Hostd: [22DC2B70 verbose
'Hostsvc.SyslogConfigProvider'] Received syslog cli invalidation message
<166>2017-10-24T00:48:08.071Z vms1.example.com Hostd: [22DC2B70 verbose
'Hostsvc.SyslogConfigProvider'] Running '/sbin/localcli system syslog
config get'
<166>2017-10-24T00:48:08.073Z vms1.example.com Hostd: [22DC2B70 info
'SysCommandPosix'] ForkExec(/sbin/localcli) 9164454
<166>2017-10-24T00:48:08.077Z vms1.example.com Hostd: [226B0B70 verbose
'Default' opID=hostd-10a7 user=root] CloseSession called for session
id=0896d7c3-f4a1-d872-7b76-a01bf0543edf
<166>2017-10-24T00:48:08.077Z vms1.example.com Hostd: [226B0B70 info
'Vimsvc.ha-eventmgr' opID=hostd-10a7 user=root] Event 743 : User
root@127.0.0.1 logged out (login time: Tuesday, 24 October, 2017
00:48:07, number of API invocations: 0, user agent: )
<166>2017-10-24T00:48:08.106Z vms1.example.com Rhttpproxy: [FF9CFB70
verbose 'Proxy Req 85506'] The client closed the stream, not unexpectedly.
<166>2017-10-24T00:48:08.408Z vms1.example.com Hostd: [22DC2B70 verbose
'Hostsvc.SyslogConfigProvider'] Running '/sbin/localcli system syslog
config logger list'
<166>2017-10-24T00:48:08.409Z vms1.example.com Hostd: [22DC2B70 info
'SysCommandPosix'] ForkExec(/sbin/localcli) 916445
I'll next test with the logger command from a remote host and see where
that goes.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.