Ubuntu
rsyslog package

rsyslogd mishandles startswith_i against $programname

Bug #1958005 reported by Ian! D. Allen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
rsyslog (Ubuntu)
New
Undecided
Unassigned

Bug Description

The rsyslog program mis-handles the "startswith_i" comparison when applied
to $programname. Details follow:

Put this file in /etc/rsyslog.d/10-idallen.conf (it precedes all other files):

    if ( $programname startswith 'foo' ) then {
        /var/log/idallen-cron.log
        stop
    }

Restart rsyslog:

    # /etc/init.d/rsyslog restart

Run these four tests:

    $ logger -t 'test' "This is: test"
    $ logger -t 'foo' "This is: foo"
    $ logger -t 'FOO' "This is: FOO"
    $ logger -t '/junk' "This is /junk"

Expected and correct result:

The file /var/log/syslog contains three lines (correct):

    Jan 14 23:08:09 ubuntu20 test: This is: test
    Jan 14 23:08:09 ubuntu20 FOO: This is: FOO
    Jan 14 23:08:09 ubuntu20 /junk: This is /junk

The file /var/log/idallen-cron.log contains just one line (correct):

    Jan 14 23:08:09 ubuntu20 foo: This is: foo

Now make this change: In the 10-idallen.conf file change "startswith"
to "startswith_i". Restart rsyslog. Run the four tests. Here are the
unexpected and incorrect results:

The file /var/log/syslog contains just one line (should be two):

    Jan 14 23:08:09 ubuntu20 test: This is: test

The file /var/log/idallen-cron.log contains three lines (should be two):

    Jan 14 23:08:09 ubuntu20 foo: This is: foo
    Jan 14 23:08:09 ubuntu20 FOO: This is: FOO
    Jan 14 23:08:09 ubuntu20 /junk: This is /junk <== SHOULD NOT BE HERE

The '/junk' line should *NOT* be matched using "startswith_i 'foo'".

The same bug happens using '[junk' as the tag. Any number of blanks
may precede the / or the [ character and still cause the bug.

    $ logger -t ' /anything' "This also triggers the bug."
    $ logger -t ' [anything' "This also triggers the bug."

The bug did not appear when matching against $syslogtag:

    # This does not show the bug:
    if ( $syslogtag startswith_i 'foo' ) then {
        /var/log/idallen-cron.log
        stop
    }

I tried to use "startswith" and "startswith_i" to match against the
"$msg" instead of against "$programname" or "$syslogtag" but could not
get any match at all no matter what I used as my logger message text:

    # This never matches anything:
    if ( $msg startswith 'foo' ) then {
        /var/log/idallen-cron.log
        stop
    }

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: rsyslog 8.2001.0-1ubuntu1.1
ProcVersionSignature: Ubuntu 5.11.0-46.51~20.04.1-generic 5.11.22
Uname: Linux 5.11.0-46-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.21
Architecture: amd64
CasperMD5CheckResult: skip
Date: Sat Jan 15 02:02:24 2022
EcryptfsInUse: Yes
InstallationDate: Installed on 2020-10-07 (464 days ago)
InstallationMedia: Lubuntu 20.04.1 LTS "Focal Fossa" - Release amd64 (20200731)
SourcePackage: rsyslog
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.logrotate.d.rsyslog: [modified]
mtime.conffile..etc.logrotate.d.rsyslog: 2020-12-27T12:21:35.307395

Revision history for this message
Ian! D. Allen (idallen) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.