I can reproduce with normalizer.c .... Here's the information:
This is the syslog "input" I'm using:
sshd[1234]: Invalid user champ from 192.168.0.1
Here's the rule that causes the segfault:
prefix=
rule=:sshd[%pid:number%]: Invalid user %user:word% from %src-ip:ipv4%
When normalizer is run.. here's the output:
backup src # cat trigger | ./normalizer -r testrule.txt
To normalize: 'sshd[1234]: Invalid user champ from 192.168.0.1'
Segmentation fault
If I change the rule to this:
prefix=
rule=:sshd[%pid:number%]: %invalid:word% user %user:word% from %src-ip:ipv4%
It works fine:
backup src # cat trigger | ./normalizer -r testrule.txt
To normalize: 'sshd[1234]: Invalid user champ from 192.168.0.1'
normalized: '[...@115 src-ip="192.168.0.1" user="champ" invalid="Invalid"
pid="1234"]'
Doing a little debugging, it appears the segfault happens here
(in the normalizer.c code)....
ln_normalize(ctx, str, &event);
This is using the stock normalizer.c that shipps with
liblognorm-0.1.0. Let me know if there's any other testing you want
me to do, but it appears to be easily reproduced.
--
Champ Clark III | Softwink, Inc | 800-538-9357 x 101
http://www.softwink.com
GPG Key ID: 58A2A58F
Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F
If it wasn't for C, we'd be using BASI, PASAL and OBOL.
pgpkI2oizN3vI.pgp
Description: PGP signature
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
