Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 30 Nov 2001 20:16:51 -0800 (PST)
From:      Brett Glass <brett@lariat.org>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   bin/32420: syslogd accumulates "repeated" messages when piping to programs when the program may want to take immediate action
Message-ID:  <200112010416.fB14GpG18467@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         32420
>Category:       bin
>Synopsis:       syslogd accumulates "repeated" messages when piping to programs when the program may want to take immediate action
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Nov 30 20:20:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     Brett Glass
>Release:        4.4-RELEASE and all previous
>Organization:
>Environment:
>Description:
FreeBSD's syslogd has a "repeat counting" feature, implemented by
Eric Allman, which is designed to save file space and prevent 
flooding of the console with messages. Unfortunately, because it
also works when messages are piped to a log monitoring program, it
prevents a log monitor from seeing the stream of messages and taking
appropriate action (e.g. blackholing an attacker). While it's a
good idea to do repeat counting when the destination of log messages
is a file, a user, or the console, it should be disabled when the
output is piped.
>How-To-Repeat:

>Fix:
Here's the original code:

                /*
                 * suppress duplicate lines to this file
                 */
                if ((flags & MARK) == 0 && msglen == f->f_prevlen &&
                    !strcmp(msg, f->f_prevline) &&
                    !strcasecmp(from, f->f_prevhost)) {
                        (void)strncpy(f->f_lasttime, timestamp, 15);
                        f->f_prevcount++;

Add f->f_type != F_PIPE to the ANDed conditions in the initial if,
preferably before the string length comparison.

P.S. -- What are all those comments in the source about a
"hollow laugh?"

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200112010416.fB14GpG18467>