From owner-freebsd-bugs Fri Nov 30 20:20: 8 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 7B59837B416 for ; Fri, 30 Nov 2001 20:20:01 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id fB14K1318671; Fri, 30 Nov 2001 20:20:01 -0800 (PST) (envelope-from gnats) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id BD97F37B405 for ; Fri, 30 Nov 2001 20:16:51 -0800 (PST) Received: (from nobody@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id fB14GpG18467; Fri, 30 Nov 2001 20:16:51 -0800 (PST) (envelope-from nobody) Message-Id: <200112010416.fB14GpG18467@freefall.freebsd.org> Date: Fri, 30 Nov 2001 20:16:51 -0800 (PST) From: Brett Glass To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: bin/32420: syslogd accumulates "repeated" messages when piping to programs when the program may want to take immediate action Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 32420 >Category: bin >Synopsis: syslogd accumulates "repeated" messages when piping to programs when the program may want to take immediate action >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Nov 30 20:20:01 PST 2001 >Closed-Date: >Last-Modified: >Originator: Brett Glass >Release: 4.4-RELEASE and all previous >Organization: >Environment: >Description: FreeBSD's syslogd has a "repeat counting" feature, implemented by Eric Allman, which is designed to save file space and prevent flooding of the console with messages. Unfortunately, because it also works when messages are piped to a log monitoring program, it prevents a log monitor from seeing the stream of messages and taking appropriate action (e.g. blackholing an attacker). While it's a good idea to do repeat counting when the destination of log messages is a file, a user, or the console, it should be disabled when the output is piped. >How-To-Repeat: >Fix: Here's the original code: /* * suppress duplicate lines to this file */ if ((flags & MARK) == 0 && msglen == f->f_prevlen && !strcmp(msg, f->f_prevline) && !strcasecmp(from, f->f_prevhost)) { (void)strncpy(f->f_lasttime, timestamp, 15); f->f_prevcount++; Add f->f_type != F_PIPE to the ANDed conditions in the initial if, preferably before the string length comparison. P.S. -- What are all those comments in the source about a "hollow laugh?" >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message