Date: Fri, 30 Nov 2001 20:16:51 -0800 (PST) From: Brett Glass <brett@lariat.org> To: freebsd-gnats-submit@FreeBSD.org Subject: bin/32420: syslogd accumulates "repeated" messages when piping to programs when the program may want to take immediate action Message-ID: <200112010416.fB14GpG18467@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 32420 >Category: bin >Synopsis: syslogd accumulates "repeated" messages when piping to programs when the program may want to take immediate action >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Nov 30 20:20:01 PST 2001 >Closed-Date: >Last-Modified: >Originator: Brett Glass >Release: 4.4-RELEASE and all previous >Organization: >Environment: >Description: FreeBSD's syslogd has a "repeat counting" feature, implemented by Eric Allman, which is designed to save file space and prevent flooding of the console with messages. Unfortunately, because it also works when messages are piped to a log monitoring program, it prevents a log monitor from seeing the stream of messages and taking appropriate action (e.g. blackholing an attacker). While it's a good idea to do repeat counting when the destination of log messages is a file, a user, or the console, it should be disabled when the output is piped. >How-To-Repeat: >Fix: Here's the original code: /* * suppress duplicate lines to this file */ if ((flags & MARK) == 0 && msglen == f->f_prevlen && !strcmp(msg, f->f_prevline) && !strcasecmp(from, f->f_prevhost)) { (void)strncpy(f->f_lasttime, timestamp, 15); f->f_prevcount++; Add f->f_type != F_PIPE to the ANDed conditions in the initial if, preferably before the string length comparison. P.S. -- What are all those comments in the source about a "hollow laugh?" >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200112010416.fB14GpG18467>