Project

General

Profile

Bug #8631

syslog-ng - logrotate incorrectly configured to rotate TLS key

Added by Aaron Morris about 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal-package
Assignee:
Category:
syslog-ng
Target version:
Start date:
07/10/2018
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.4.3_1
Affected Architecture:

Description

I noticed recently a pfSense device stopped logging to our remote TLS syslog server. After investigating, I found the TLS key had been automatically configured to be archived and rotated like a log file.

syslog-ng config:

Object name: D_TLSSYSLOG
Object type: Destination
Object parameters:

{
  network("syslog.example.com" port(6514)
    transport("tls")
    tls(
      ca-dir("/home/user/syslog")
      key-file("/home/user/syslog/syslog-client.key")
      cert-file("/home/user/syslog/syslog-client.crt")
      peer_verify(required-untrusted)
    )
  );
};

Resulting /usr/local/etc/logrotate.conf

# This file is automatically generated by pfSense
# Do not edit manually !
/home/user/syslog/syslog-client.key /var/syslog-ng/default.log {
    rotate 30
    daily
    compress
    postrotate
        kill -s HUP `cat /var/run/syslog-ng.pid`
    endscript
}

History

#1 Updated by Aaron Morris about 1 year ago

I found the offending regex in /usr/local/pkg/syslog-ng.inc

The regex appears to be too broad and does not take into account that the possible certificate configuration.

    177 function syslogng_get_log_files($objects) {
    178         $log_files = array();
    179
    180         foreach ($objects as $object) {
    181                 if ($object['objecttype'] == 'destination') {
    182                         preg_match("/\bfile\b\(['\"]([^'\"]*)['\"]/", base64_decode($object['objectparameters']), $match);
    183                         if ($match) {
    184                                 $log_file = $match[1];
    185                                 array_push($log_files, $log_file);
    186                         }
    187                 }
    188         }
    189
    190         return $log_files;
    191 }

#2 Updated by Aaron Morris about 1 year ago

I have found a workaround. syslog-ng supports both key-file and key_file syntax. Using the underscore does not match the current regex.

ca-dir becomes ca_dir
key-file becomes key_file
cert-file becomes cert_file

I still consider this to be a bug in the syslog-ng package, though.

#3 Updated by Jim Thompson about 1 year ago

  • Assignee set to Jim Pingle
  • Target version set to 2.4.4

#4 Updated by Jim Pingle about 1 year ago

  • Status changed from New to This Sprint

#5 Updated by Steve Beaver about 1 year ago

  • Priority changed from Normal to Normal-package

#6 Updated by Jim Pingle about 1 year ago

  • Status changed from This Sprint to Feedback

Fix pushed, will be up shortly in syslog-ng v 1.15_1

#7 Updated by Jim Pingle about 1 year ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF