Thanks, this is very useful. I made good progress today and will probably be able to have at least a quick lock tomorrow and a more in-depth look (if at all required) on Wednesday.
Rainer > -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Champ Clark III [Softwink] > Sent: Monday, January 10, 2011 6:46 PM > To: [email protected] > Subject: Re: [rsyslog] Strange liblognorm issue(s)... > > > I can reproduce with normalizer.c .... Here's the information: > This is the syslog "input" I'm using: > > sshd[1234]: Invalid user champ from 192.168.0.1 > > Here's the rule that causes the segfault: > > prefix= > rule=:sshd[%pid:number%]: Invalid user %user:word% from %src-ip:ipv4% > > When normalizer is run.. here's the output: > > backup src # cat trigger | ./normalizer -r testrule.txt > To normalize: 'sshd[1234]: Invalid user champ from 192.168.0.1' > Segmentation fault > > If I change the rule to this: > > prefix= > rule=:sshd[%pid:number%]: %invalid:word% user %user:word% from %src- > ip:ipv4% > > It works fine: > > backup src # cat trigger | ./normalizer -r testrule.txt > To normalize: 'sshd[1234]: Invalid user champ from 192.168.0.1' > normalized: '[...@115 src-ip="192.168.0.1" user="champ" > invalid="Invalid" pid="1234"]' > > Doing a little debugging, it appears the segfault happens here > (in the normalizer.c code).... > > ln_normalize(ctx, str, &event); > > This is using the stock normalizer.c that shipps with > liblognorm-0.1.0. Let me know if there's any other testing you want > me to do, but it appears to be easily reproduced. > > -- > Champ Clark III | Softwink, Inc | 800-538-9357 x 101 > http://www.softwink.com > > GPG Key ID: 58A2A58F > Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F > If it wasn't for C, we'd be using BASI, PASAL and OBOL. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
