Project

General

Profile

Actions
Copy link

Bug #3292

closed

Syslog-ng accidentally gzip's SSL key file + fix

Added by Zaphod Beeblebrox over 10 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
10/25/2013
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
2.1
Affected Plus Version:
Affected Architecture:
All

Description

First off, pfSense is awesome, you folks rock.

Second off, there's a hilariously annoying bug with syslog-ng when it's configured to use SSL tunnels that results in the tunnel breaking after 24 hours.

Here's the deal and a proposed fix:

The syslog-ng package automagically generates a logrotate file at: /usr/local/etc/logrotate.conf

That file contains rotation entries for each of the destination files syslog-ng is writing to. Those destination files are identified by the syslogng_get_log_files function in /usr/local/pkg/syslog-ng.inc which loops through each of the destination objects and uses a regex to parse out directories for lines that include the keyword 'file', which typically look like this:

{ file("/var/syslog-ng/default.log"); };

Generating a logrotate config for local files in this way makes perfect sense and it's the sort of classy, thoughtful feature that makes pfSense so great.

The problem is that if you're sending your syslog-ng messages to a remote syslog-ng server using an SSL tunnel you're going to have a destination configuration object with lines that include the variables 'key_file' and 'cert_file':

{
tcp("10.0.1.200" port(5140)
tls( ca_dir("/<pathtosyslogca>/ca/")
key_file("/<pathtokeyfiles/server.key")
cert_file("/<pathtocertfiles>/server.crt")) );
};

When this sort of destination object exists, it also gets read in by the loop in syslogng_get_log_files, the key_file variable gets parsed by the regex, and then the path to the key_file gets automagically added to the log_rotate.conf file. This results in the SSL key_file getting gzip compressed and renamed to server.key.gz.1 every night. Needless to say, this breaks the syslog-ng tunnel, causes remote logging to fail, and leads to much wailing and gnashing of teeth.

The fix is to modify the regex in line 238 of syslog-ng.inc to be a bit more picky about who it rotates, taking it from:

preg_match("/file\(['\"]([^'\"]*)['\"]/", base64_decode($object['objectparameters']), $match);

to something more like:

preg_match("/[^_]file\(['\"]([^'\"]*)['\"]/", base64_decode($object['objectparameters']), $match);

which will enable the regex to match against the plain file keyword but not against the key_file or cert_file keywords.

Actions
Copy link
 #1

Updated by Renato Botelho over 10 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

Applied in changeset commit:c030cf2781c7bbef197db6f07facef35b6856c8e.

Actions
Copy link
 #2

Updated by Chris Buechler over 9 years ago

  • Status changed from Feedback to Resolved
Actions
Copy link

Also available in: Atom PDF