# [solved] syslog-ng madness

## toralf

The 3.4.8 version writes mess into the log during start:

```
Feb  9 22:08:29 t44 syslog-ng[906]: syslog-ng starting up; version='3.4.8'

Feb  9 22:08:29 ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ kernel: [    0.000000] Initializing cgroup subsys cpuset

```

 - happened here at two hardened systems.

Anybody knows a solution (except upgrading to 3.6.2) 

-or- another logger, but I do have these rules to convert then :

```
destination d_ps22  { file("/mnt/ramdisk/ps22");  };

destination d_ps80  { file("/mnt/ramdisk/ps80");  };

destination d_ps443 { file("/mnt/ramdisk/ps443"); };

#rewrite r_ps22  { subst('PORTSCAN 22 .*',  "ps", value("MESSAGE"), type("pcre"), flags("global")); };

#rewrite r_ps80  { subst('PORTSCAN 80 .*',  "ps", value("MESSAGE"), type("pcre"), flags("global")); };

#rewrite r_ps443 { subst('PORTSCAN 443 .*', "ps", value("MESSAGE"), type("pcre"), flags("global")); };

filter f_ps22     { match("PORTSCAN 22 "  value("MSG"));                        };

filter f_ps80           { match("PORTSCAN 80 "  value("MSG"));                  };

filter f_ps443          { match("PORTSCAN 443 " value("MSG"));                  };

#log { source(src); filter(f_ps22);  rewrite(r_ps22);   destination(d_ps22);    };

#log { source(src); filter(f_ps80);  rewrite(r_ps80);   destination(d_ps80);    };

#log { source(src); filter(f_ps443); rewrite(r_ps443);  destination(d_ps443);   };

log { source(src); filter(f_ps22);  destination(d_ps22);        };

log { source(src); filter(f_ps80);  destination(d_ps80);        };

log { source(src); filter(f_ps443); destination(d_ps443);       };

filter f_messages  { not match("PORTSCAN " value("MSG"));   }; 

log { source(src); filter(f_messages); destination(messages);           };

log { source(src); filter(f_messages); destination(console_all);        };

```

Last edited by toralf on Wed May 27, 2015 7:05 pm; edited 1 time in total

----------

## khayyam

toralf ...

I don't have syslog-ng write a log for itself (a little redundent for my liking) and as the syslog.conf provided with USE="hardened" does you could do as I did and comment the lines for destination, filter, etc.

HTH & best ... khay

----------

## Balage

Hello,

Try to increase log_msg_size to 8196. Starting from 3.5 that's the default value especially because of situations like that.

log_msg_size(8196);

Regards,

----------

## toralf

 *khayyam wrote:*   

> toralf ...
> 
> I don't have syslog-ng write a log for itself (a little redundent for my liking) and as the syslog.conf provided with USE="hardened" does you could do as I did and comment the lines for destination, filter, etc.
> 
> HTH & best ... khay

 b/c I do filter few types of messages out and won't like to have these in /var/log/messages nor on tty12, I think I do need the definitions as seen above, or ?

----------

## Cyker

Yaaay! Something I know the answer to! \ :Very Happy: /

Short answer:

Put

```
threaded(no)
```

in your syslog-ng.conf options{} section

There seems to be a bug in 3.4.8 (Possibly others) that causes ^@/NULL chars to be written to the syslog if threaded(yes) is set.

----------

## khayyam

 *toralf wrote:*   

>  *khayyam wrote:*   I don't have syslog-ng write a log for itself (a little redundent for my liking) and as the syslog.conf provided with USE="hardened" does you could do as I did and comment the lines for destination, filter, etc. 
> 
> b/c I do filter few types of messages out and won't like to have these in /var/log/messages nor on tty12, I think I do need the definitions as seen above, or ?

 

toralf ... looks like I misread the above, those message don't come from syslog-ng but the kernel ring, I imagine this is due to hardened or, as Balage suggest above, log_msg_size. I've seen the above '^@^@^@' here in a thread before, but couldn't find it on a search.

As for the above definitions they don't seem to have anything to do with it, they are just rules to log portscans.

best ... khay

----------

## toralf

Ok, will start with "threat = no".

@khay

Thanks for pointing me to the hardened config files - wasn't aware of it.

/mw wonders how to enhance the "kern" filter :

```
filter f_kern { facility(kern); };

```

to add my regex filter too ....

----------

## khayyam

 *toralf wrote:*   

> Thanks for pointing me to the hardened config files - wasn't aware of it.

 

toralf ... you're welcome. As I remember there use to be a hardened useflag on syslog-ng, and this toggled the install of the config, that useflag seems to have gone now, but the file is under */files/3.{4,6}/syslog-ng.conf.gentoo.hardened ... not sure what triggers the install.

 *toralf wrote:*   

> /mw wonders how to enhance the "kern" filter :[code]filter f_kern { facility(kern); }; to add my regex filter too ....

 

Thats just a 'filter' for the kernel ring, this could then be given a 'destination' (ie, /var/log/kern.log) but as 'messages' gets level('info..warn') you probably get as much as is needed there. Such filters are basically used to break down the facilities and direct them (or 'not' ... as you can do 'and not facility(auth, cron); };' so as not get those) so it depends on what you want ... and how much.

best ... khay

----------

