On 10/23/2017 7:55 PM, deoren wrote:
On 10/23/2017 7:51 PM, deoren wrote:
On 10/23/2017 7:38 PM, deoren wrote:
On 10/23/2017 7:11 PM, David Lang wrote:
do you have a tcpdump or info from Qualys saying what it sends as
part of the scan?
David Lang
Thankfully (for troubleshooting purposes), the problem isn't specific
to the Qualys scan. I later learned that messages coming from our
ESXi hosts trigger the problem as well. It may be that ANY message
arriving on an input where I'm attempting to check for an empty
$!origin!hostname property is enough to trigger the segfault.
That said, the messages sent by the Qualys scan along with messages
I've seen coming from our ESXi hosts are often missing information
(such as the hostname).
I'll do further testing and post back.
According to what I captured with tcpdump, this is what Wireshark
translated the conversation as:
<166>2017-10-24T00:48:08.071Z vms1.example.com Hostd: [23140B70
verbose 'Solo.VmwareCLI' opID=hostd-3963 user=root] Result (type
boolean) (wsdl boolean) (kind 1)
<166>2017-10-24T00:48:08.071Z vms1.example.com Hostd: [22DC2B70
verbose 'Hostsvc.SyslogConfigProvider'] Received syslog cli
invalidation message
<166>2017-10-24T00:48:08.071Z vms1.example.com Hostd: [22DC2B70
verbose 'Hostsvc.SyslogConfigProvider'] Running '/sbin/localcli system
syslog config get'
<166>2017-10-24T00:48:08.073Z vms1.example.com Hostd: [22DC2B70 info
'SysCommandPosix'] ForkExec(/sbin/localcli) 9164454
<166>2017-10-24T00:48:08.077Z vms1.example.com Hostd: [226B0B70
verbose 'Default' opID=hostd-10a7 user=root] CloseSession called for
session id=0896d7c3-f4a1-d872-7b76-a01bf0543edf
<166>2017-10-24T00:48:08.077Z vms1.example.com Hostd: [226B0B70 info
'Vimsvc.ha-eventmgr' opID=hostd-10a7 user=root] Event 743 : User
root@127.0.0.1 logged out (login time: Tuesday, 24 October, 2017
00:48:07, number of API invocations: 0, user agent: )
<166>2017-10-24T00:48:08.106Z vms1.example.com Rhttpproxy: [FF9CFB70
verbose 'Proxy Req 85506'] The client closed the stream, not
unexpectedly.
<166>2017-10-24T00:48:08.408Z vms1.example.com Hostd: [22DC2B70
verbose 'Hostsvc.SyslogConfigProvider'] Running '/sbin/localcli system
syslog config logger list'
<166>2017-10-24T00:48:08.409Z vms1.example.com Hostd: [22DC2B70 info
'SysCommandPosix'] ForkExec(/sbin/localcli) 916445
I'll next test with the logger command from a remote host and see
where that goes.
logger --tcp --port 514 --server sawmill3.example.com "hello!"
That's enough to cause a segfault.
https://github.com/rsyslog/rsyslog/issues/1920
I've tried to supply everything I could to help reproduce the problem.
Based on my testing, the problem also exists in the 8.16 version that is
included with Ubuntu 16.04.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
