Public bug reported:
The rsyslog program mis-handles the "startswith_i" comparison when applied
to $programname. Details follow:
Put this file in /etc/rsyslog.d/10-idallen.conf (it precedes all other
files):
if ( $programname startswith 'foo' ) then {
/var/log/idallen-cron.log
stop
}
Restart rsyslog:
# /etc/init.d/rsyslog restart
Run these four tests:
$ logger -t 'test' "This is: test"
$ logger -t 'foo' "This is: foo"
$ logger -t 'FOO' "This is: FOO"
$ logger -t '/junk' "This is /junk"
Expected and correct result:
The file /var/log/syslog contains three lines (correct):
Jan 14 23:08:09 ubuntu20 test: This is: test
Jan 14 23:08:09 ubuntu20 FOO: This is: FOO
Jan 14 23:08:09 ubuntu20 /junk: This is /junk
The file /var/log/idallen-cron.log contains just one line (correct):
Jan 14 23:08:09 ubuntu20 foo: This is: foo
Now make this change: In the 10-idallen.conf file change "startswith"
to "startswith_i". Restart rsyslog. Run the four tests. Here are the
unexpected and incorrect results:
The file /var/log/syslog contains just one line (should be two):
Jan 14 23:08:09 ubuntu20 test: This is: test
The file /var/log/idallen-cron.log contains three lines (should be two):
Jan 14 23:08:09 ubuntu20 foo: This is: foo
Jan 14 23:08:09 ubuntu20 FOO: This is: FOO
Jan 14 23:08:09 ubuntu20 /junk: This is /junk <== SHOULD NOT BE HERE
The '/junk' line should *NOT* be matched using "startswith_i 'foo'".
The same bug happens using '[junk' as the tag. Any number of blanks
may precede the / or the [ character and still cause the bug.
$ logger -t ' /anything' "This also triggers the bug."
$ logger -t ' [anything' "This also triggers the bug."
The bug did not appear when matching against $syslogtag:
# This does not show the bug:
if ( $syslogtag startswith_i 'foo' ) then {
/var/log/idallen-cron.log
stop
}
I tried to use "startswith" and "startswith_i" to match against the
"$msg" instead of against "$programname" or "$syslogtag" but could not
get any match at all no matter what I used as my logger message text:
# This never matches anything:
if ( $msg startswith 'foo' ) then {
/var/log/idallen-cron.log
stop
}
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: rsyslog 8.2001.0-1ubuntu1.1
ProcVersionSignature: Ubuntu 5.11.0-46.51~20.04.1-generic 5.11.22
Uname: Linux 5.11.0-46-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.21
Architecture: amd64
CasperMD5CheckResult: skip
Date: Sat Jan 15 02:02:24 2022
EcryptfsInUse: Yes
InstallationDate: Installed on 2020-10-07 (464 days ago)
InstallationMedia: Lubuntu 20.04.1 LTS "Focal Fossa" - Release amd64 (20200731)
SourcePackage: rsyslog
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.logrotate.d.rsyslog: [modified]
mtime.conffile..etc.logrotate.d.rsyslog: 2020-12-27T12:21:35.307395
** Affects: rsyslog (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug focal third-party-packages
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1958005
Title:
rsyslogd mishandles startswith_i against $programname
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1958005/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
