Bug 803101 - rsyslog appears to truncate messages when logging over the network
rsyslog appears to truncate messages when logging over the network
Status: CLOSED WORKSFORME
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: rsyslog (Show other bugs)
5.9
All Linux
unspecified Severity high
: rc
: ---
Assigned To: Tomas Heinrich
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-13 20:29 EDT by Brian Hourigan
Modified: 2016-09-20 00:50 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-04-19 07:28:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Brian Hourigan 2012-03-13 20:29:21 EDT
Description of problem:

I noticed RHEL5 (RHEL6 hosts are unaffected) hosts (i386 and x86_64) were only logging ~50 first characters of log messages when logging to the network. When you remove syslog headers (date, actual header, program name) the message is truncated to about 10 characters.

This means the network logging is unusable, and that logs from programs logging only to the network (like auditd) are lost. I have reproduced this on different hosts even when using the stock rsyslog config.

You can check by running tcpdump -i bond0 -XX port 514 (or 2514 for auditd).

When using the stock syslogd on those systems, messages are not truncated.
When using file logging via rsyslogd, messages are not truncated.
When using network logging via rsyslogd, messages ARE truncated.

And I believe this is caused by one of the RHEL patches to rsyslog.

A workaround is to rollback to rsyslog-3.22.1-3.el5 (previous version)


Version-Release number of selected component (if applicable):

Name        : rsyslog                      Relocations: (not relocatable)
Version     : 3.22.1                            Vendor: Red Hat, Inc.
Release     : 7.el5                         Build Date: Thu 01 Dec 2011 07:41:54 AM PST
Install Date: Mon 20 Feb 2012 07:28:53 PM PST      Build Host: hs20-bc2-3.build.redhat.com
Group       : System Environment/Daemons    Source RPM: rsyslog-3.22.1-7.el5.src.rpm
Comment 1 Brian Hourigan 2012-03-13 20:41:14 EDT
Here's a tcpdump capturing the truncated messages:

17:34:38.493632 IP xxx.mozilla.com.50174 >
xxx2.mozilla.com.syslog: SYSLOG daemon.debug, length: 253
0x0000: 0026 b956 5685 68b5 99bd fcb0 0800 4500 .&.VV.h.......E.
0x0010: 0119 0000 4000 4011 8f8e 0a08 4b1f 0a08 ....@.@.....K...
0x0020: 4b17 c3fe 0202 0105 ab5c 3c33 313e 4d61 K........\<31>Ma
0x0030: 7220 3133 2031 373a 3334 3a33 3820 6173 r.13.17:34:38.as
0x0040: 2d6d 6772 3120 6e72 7065 5b37 3831 315d -mgr1.nrpe[7811]
0x0050: 3a20 436f 6d6d 616e 6420 636f 6d70 6c65 :.Command.comple
17:34:38.494774 IP xxx.mozilla.com.50174 >
xxx2.mozilla.com.syslog: SYSLOG daemon.debug, length: 228
0x0000: 0026 b956 5685 68b5 99bd fcb0 0800 4500 .&.VV.h.......E.
0x0010: 0100 0000 4000 4011 8fa7 0a08 4b1f 0a08 ....@.@.....K...
0x0020: 4b17 c3fe 0202 00ec ab43 3c33 313e 4d61 K........C<31>Ma
0x0030: 7220 3133 2031 373a 3334 3a33 3820 6173 r.13.17:34:38.as
0x0040: 2d6d 6772 3120 6e72 7065 5b37 3831 315d -mgr1.nrpe[7811]
0x0050: 3a20 5265 7475 726e 2043 6f64 653a 2030 :.Return.Code:.0
17:34:38.494835 IP xxx.mozilla.com.50174 >
xxx2.mozilla.com.syslog: SYSLOG daemon.debug, length: 74
0x0000: 0026 b956 5685 68b5 99bd fcb0 0800 4500 .&.VV.h.......E.
0x0010: 0066 0000 4000 4011 9041 0a08 4b1f 0a08 .f..@.@..A..K...
0x0020: 4b17 c3fe 0202 0052 aaa9 3c33 313e 4d61 K......R..<31>Ma
0x0030: 7220 3133 2031 373a 3334 3a33 3820 6173 r.13.17:34:38.as
0x0040: 2d6d 6772 3120 6e72 7065 5b37 3831 315d -mgr1.nrpe[7811]
0x0050: 3a20 436f 6e6e 6563 7469 6f6e 2066 726f :.Connection.fro
Comment 2 Tomas Heinrich 2012-03-14 09:07:28 EDT
This bug is filed against rhel 5.9, should that be 5.8?
Based on the tcpdump output, I assume "logging over the network" means forwarding via UDP.

The tcpdump output shows "length: 253", but the output that follows ends with the "0x0050: ..." line - the first 80 bytes, which means not all the data are shown.

I've done some tests with rsyslog-3.22.1-7.el5 over UDP / TCP with tcpdump and netcat and everything seems to work.

Note You need to log in before you can comment on or make changes to this bug.