I was working on some liblognorm rules, and ran into something rather strange. First, here's a example rule (that works).. This is my input being examined:
sshd[24833]: Invalid user champtest from 192.168.1.1
--<snip>----
prefix=sshd[%pid:number%]:
rule=: Invalid user champtest from %src-ip:ipv4%
--<snip>----
This works fine...
Normlize: [...@115 src-ip="98.224.46.168" pid="24500"]
So I add to it to grab the username, like thus:
--<snip>----
prefix=sshd[%pid:number%]:
rule=: Invalid user %user:word% from %src-ip:ipv4%
--<snip>----
This produces a segfault. However, this works:
--<snip>----
prefix=sshd[%pid:number%]:
rule=: %invalid:word% user %user:word% %from:word% %src-ip:ipv4%
--<snip>----
Normlize: [...@115 src-ip="98.224.46.168" from="from" user="champtest"
invalid="Invalid" pid="24766"]
I changed the rule a little bit (dropped the prefix). This works:
--<snip>----
prefix=
rule=:sshd[%pid:number%]: %invalid:word% user %user:word% %from:word%
%src-ip:ipv4%
--<snip>----
This works fine:
Normlize: [...@115 src-ip="98.224.46.168" from="from" user="champtest"
invalid="Invalid" pid="24797"]
This causes a seg fault:
--<snip>----
prefix=
rule=:sshd[%pid:number%]: Invalid user %user:word% %from:word% %src-ip:ipv4%
--<snip>----
Can someone attempt to reproduce? It's really strange! I can
provide straces/gdb dumps if need be.
--
Champ Clark III | Softwink, Inc | 800-538-9357 x 101
http://www.softwink.com
GPG Key ID: 58A2A58F
Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F
If it wasn't for C, we'd be using BASI, PASAL and OBOL.
pgpiTdi5f9OBI.pgp
Description: PGP signature
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
