Project

General

Profile

Actions
Copy link

Bug #8631

closed

syslog-ng - logrotate incorrectly configured to rotate TLS key

Added by Aaron Morris over 6 years ago. Updated about 6 years ago.

Status:
Resolved
Priority:
Normal-package
Assignee:
Jim Pingle
Category:
syslog-ng
Target version:
pfSense - 2.4.4
Start date:
07/10/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.4.3_1
Affected Plus Version:
Affected Architecture:

Description

I noticed recently a pfSense device stopped logging to our remote TLS syslog server. After investigating, I found the TLS key had been automatically configured to be archived and rotated like a log file.

syslog-ng config:

Object name: D_TLSSYSLOG
Object type: Destination
Object parameters:

{
  network("syslog.example.com" port(6514)
    transport("tls")
    tls(
      ca-dir("/home/user/syslog")
      key-file("/home/user/syslog/syslog-client.key")
      cert-file("/home/user/syslog/syslog-client.crt")
      peer_verify(required-untrusted)
    )
  );
};

Resulting /usr/local/etc/logrotate.conf

# This file is automatically generated by pfSense
# Do not edit manually !
/home/user/syslog/syslog-client.key /var/syslog-ng/default.log {
    rotate 30
    daily
    compress
    postrotate
        kill -s HUP `cat /var/run/syslog-ng.pid`
    endscript
}

Actions
Copy link
 #1

Updated by Aaron Morris over 6 years ago

I found the offending regex in /usr/local/pkg/syslog-ng.inc

The regex appears to be too broad and does not take into account that the possible certificate configuration.

    177 function syslogng_get_log_files($objects) {
    178         $log_files = array();
    179
    180         foreach ($objects as $object) {
    181                 if ($object['objecttype'] == 'destination') {
    182                         preg_match("/\bfile\b\(['\"]([^'\"]*)['\"]/", base64_decode($object['objectparameters']), $match);
    183                         if ($match) {
    184                                 $log_file = $match[1];
    185                                 array_push($log_files, $log_file);
    186                         }
    187                 }
    188         }
    189
    190         return $log_files;
    191 }
Actions
Copy link
 #2

Updated by Aaron Morris over 6 years ago

I have found a workaround. syslog-ng supports both key-file and key_file syntax. Using the underscore does not match the current regex.

ca-dir becomes ca_dir
key-file becomes key_file
cert-file becomes cert_file

I still consider this to be a bug in the syslog-ng package, though.

Actions
Copy link
 #3

Updated by Jim Thompson over 6 years ago

  • Assignee set to Jim Pingle
  • Target version set to 2.4.4
Actions
Copy link
 #4

Updated by Jim Pingle over 6 years ago

  • Status changed from New to 13
Actions
Copy link
 #5

Updated by Anonymous over 6 years ago

  • Priority changed from Normal to Normal-package
Actions
Copy link
 #6

Updated by Jim Pingle over 6 years ago

  • Status changed from 13 to Feedback

Fix pushed, will be up shortly in syslog-ng v 1.15_1

Actions
Copy link
 #7

Updated by Jim Pingle about 6 years ago

  • Status changed from Feedback to Resolved
Actions
Copy link

Also available in: Atom PDF