Jan-Frode Myklebust wrote: > On 2007-08-27, Rainer Gerhards <[EMAIL PROTECTED]> wrote: >> Can you let us know which strings it is set to? That would definitely >> help troubleshooting (one lab less to do ;)). > > Not sure what you're asking.. I have this rsyslog.conf entry: > > $template PerAppLogs,"/var/log/rsyslog/apps/%programname%.log" > *.* -?PerAppLogs > > which produce two log files "1.4.1.log" and "message.log" containing > > Aug 27 21:58:01 syslogd 1.4.1: restart. > Aug 27 21:58:01 syslogd 1.4.1: restart. > Aug 27 21:58:01 syslogd 1.4.1: restart. > > Aug 27 22:02:48 last message repeated 12 times > Aug 27 22:02:49 last message repeated 6 times > Aug 27 22:02:49 last message repeated 92 times > > respectively. I think that's all information I have.. plus maybe also > say that the remote host logging this is likely RHEL3, RHEL4 or RHEL5 > with sysklogd sending the logs over standard udp (*.* @loghost). > > Another thing that scared me a bit is that from the same template I > got a logfile named ".log" containing: > > Aug 27 22:00:01 censored1.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; > PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save > Aug 27 22:00:01 censored2.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; > PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save > Aug 27 22:00:02 censored3.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; > PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save > Aug 27 22:00:17 censored4.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; > PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save > Aug 27 22:00:17 censored5.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; > PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save > > which makes me think it tried to create the file /usr/bin/sudo.log.. > Wonder if it might be possible to make rsyslogd overwrite /etc/passwd > with a sufficientlty crafted %programname% string... >
Hi, in your example above, %programname% was an empty string, so you've ended up with the logfile /var/log/rsyslog/apps/.log. Additionally, programname can't contain '/', so you example should be fairly safe. The reason of files like 1.4.1.log being produced is in the way hostname and tag are parsed. For example, message "s y s l o g: asdf" would have its hostname set to "s" and programname to "y". _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog
