corrected filters: # grsec & pax filter f_avc { match("^\\[.*\] .*avc: .*"); }; filter f_audit { match("^\\[.*\] audit.*") and not match(".*avc: .*"); }; filter f_pax { match("^\\[.*\] PAX:.*"); }; filter f_grsec { match("^\\[.*\] grsec:.*"); };
Hi, I do not think it is unreasonable to ask for a diff'd output of what you are suggesting. And providing reason for the change, besides 'broken' Thanks, Jeremy
*** Bug 232848 has been marked as a duplicate of this bug. ***
Created attachment 161297 [details, diff] diff -burN
The reason, the original filter won't match, since with latest stable hardened kernel a timestamp in brackets is put at the beginning of each log line: [285563.904507] grsec: ..... I am not 100% sure but this was probably introduced with kernel tree 2.6.24.x.
There was no behavioral change in the kernel or grsecurity. Looks like you enabled CONFIG_PRINTK_TIME in your kernel config. Would be good if the shipped hardened syslog-ng.conf took this kernel config option into account though.
Created attachment 192544 [details, diff] Proposed patch to resolve the issue. This patch should resolve the issue. It has been tested on i686 pax/grsec system and a selinux system. There is no reason to suspect it won't work on amd64.
It seems to me like there is a little mistake, though it might still work. The opening square bracket has a double escaping backslash, whereas the closing square bracket has only a single one. Also, the statements from Anthony Basile's patch can be written in a single regular expression, with a conditional prefix, to match messages for old-style kernels and new-style kernels at once: # <H4xX0Rz1sT@eyeq.de> newer kernels have kernel time prefix with CONFIG_PRINTK_TIME set, see #232847 filter f_avc { match(".*avc: .*"); }; filter f_audit { match("^(\\[.*\\] )?audit.*") and not message(".*avc: .*"); }; filter f_pax { match("^(\\[.*\\] )?PAX:.*"); }; filter f_test { match("^(\\[.*\\] )?grsec:.*"); }; I have tested with 'logger -t kernel "[285563.904507] grsec: ....."' and 'logger -t kernel "grsec: ....."' resulting in these log entries: Nov 2 20:44:23 saturn kernel: [285563.904507] grsec: ..... Nov 2 20:44:25 saturn kernel: grsec: ..... Please also note bug #291259: "match()" has to be replaced by "message()" with syslog-ng 3.x. HTH, Oliver
Fixed in syslog-ng 3.0.5-r1