Un1x Syslog Knowledge for Kids
by:ev1lut10n
I guess all of u know what syslog is. this syslog is a standart utility under most unix that will
log any messages of a program. Most sysadmin can read this log at /var/log/syslog
ex:
==========
root@ev1l:/home/ev1lut10n# tail -n 10 /var/log/syslog
Oct 1 04:39:01 ev1lut10n-Vostro1310 CRON[9609]: (root) CMD ( [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth
-mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) -delete)
Oct 1 04:46:19 ev1lut10n-Vostro1310 dhclient: DHCPREQUEST of ****ip censored***** on eth0 to 10.255.9.48 port 67
Oct 1 04:46:19 ev1lut10n-Vostro1310 dhclient: DHCPACK of ****ip censored***** from 10.255.9.48
Oct 1 04:46:19 ev1lut10n-Vostro1310 dhclient: bound to ****ip censored***** -- renewal in 742 seconds.
Oct 1 04:58:41 ev1lut10n-Vostro1310 dhclient: DHCPREQUEST of ****ip censored***** on eth0 to 10.255.9.48 port 67
Oct 1 04:58:41 ev1lut10n-Vostro1310 dhclient: DHCPACK of ****ip censored***** from 10.255.9.48
Oct 1 04:58:41 ev1lut10n-Vostro1310 dhclient: bound to ****ip censored***** -- renewal in 425 seconds.
Oct 1 05:05:46 ev1lut10n-Vostro1310 dhclient: DHCPREQUEST of ****ip censored***** on eth0 to 10.255.9.48 port 67
Oct 1 05:05:46 ev1lut10n-Vostro1310 dhclient: DHCPACK of ****ip censored***** from 10.255.9.48
Oct 1 05:05:46 ev1lut10n-Vostro1310 dhclient: bound to ****ip censored***** -- renewal in 882 seconds.
==========
below are some various c operation related to syslog:
- openlog
- syslog
- closelog
exactly when we need to do a syslog there will be something called priority as we can see on /usr/include/sys/syslog.h (on my box) :
=======
CODE prioritynames[] =
{
{ "alert", LOG_ALERT },
{ "crit", LOG_CRIT },
{ "debug", LOG_DEBUG },
{ "emerg", LOG_EMERG },
{ "err", LOG_ERR },
{ "error", LOG_ERR }, /* DEPRECATED */
{ "info", LOG_INFO },
{ "none", INTERNAL_NOPRI }, /* INTERNAL */
{ "notice", LOG_NOTICE },
{ "panic", LOG_EMERG }, /* DEPRECATED */
{ "warn", LOG_WARNING }, /* DEPRECATED */
{ "warning", LOG_WARNING },
{ NULL, -1 }
};
======
desc:
LOG_EMERG = system unusable
LOG_ALERT = need a fast action
LOG_CRITICAL = critical condition (in some online game, ex: Ran Online : critical damage ;-p )
LOG_INFO = informational message
and so on ... (sorry I'm lazy just googling for more info about the priorities)
below is a sample c code using syslog function that will log our message
==============
root@ev1l:/home/ev1lut10n/c# cat syslog.c
#include <stdio.h>
#include <sys/syslog.h>
int main()
{
/**first we open log**/
openlog("slog", LOG_PID|LOG_CONS, LOG_USER);
/**the we do our syslog**/
syslog(LOG_INFO, "We are script kiddies ! we have owned your box ! hahahahaha");
/**then we need to close the log**/
closelog();
}
root@ev1l:/home/ev1lut10n/c# gcc -o syslog syslog.c
root@ev1l:/home/ev1lut10n/c# ./syslog
root@ev1l:/home/ev1lut10n/c# tail -n 1 /var/log/syslog
Oct 1 05:26:24 ev1lut10n-Vostro1310 slog[10730]: We are script kiddies ! we have owned your box ! hahahahaha
==============
these messages actually logged by the syslogd
==================
root@ev1l:/home/ev1lut10n# ps aux | grep syslog
syslog 830 0.0 0.0 34608 1272 ? Sl 00:58 0:00 rsyslogd -c4
root@ev1l:/home/ev1lut10n/c# kill -9 830
root@ev1l:/home/ev1lut10n/c# ./syslog
==================
then there will be no more syslog logging:
============
root@ev1l:/home/ev1lut10n/c# tail /var/log/syslog
Oct 1 05:20:28 mywisdom-Vostro1310 dhclient: DHCPACK of 139.195.54.157 from 10.255.9.48
Oct 1 05:20:28 mywisdom-Vostro1310 dhclient: bound to 139.195.54.157 -- renewal in 693 seconds.
Oct 1 05:25:30 mywisdom-Vostro1310 slog[10701]: #012We are script kiddies ! we have owned your box ! hahahahaha
Oct 1 05:26:24 mywisdom-Vostro1310 slog[10730]: We are script kiddies ! we have owned your box ! hahahahaha
Oct 1 05:27:19 ev1l kernel: imklog 4.2.0, log source = /proc/kmsg started.
Oct 1 05:27:19 ev1l rsyslogd: [origin software="rsyslogd" swVersion="4.2.0" x-pid="10747" x-info="http://www.rsyslog.com"] (re)start
Oct 1 05:27:19 ev1l rsyslogd: rsyslogd's groupid changed to 103
Oct 1 05:27:19 ev1l rsyslogd: rsyslogd's userid changed to 101
Oct 1 05:27:19 ev1l rsyslogd-2039: Could no open output file '/dev/xconsole' [try http://www.rsyslog.com/e/2039 ]
Oct 1 05:27:22 ev1l slog[10751]: We are script kiddies ! we have owned your box ! hahahahaha
=============
[Wrong Usage of Syslog resulted a Format String Bug]
ok wrong usage of this syslog is very dangerous
start the syslogd again:
=====================
root@ev1l:/home/ev1lut10n/c# locate rsyslogd
/usr/sbin/rsyslogd
/usr/share/man/man8/rsyslogd.8.gz
root@ev1l:/home/ev1lut10n/c# /usr/sbin/rsyslogd
Already running.
root@ev1l:/home/ev1lut10n/c# ps aux | grep syslog
mywisdom 1628 4.1 0.5 163672 11412 ? S<sl 00:58 11:20 /usr/bin/pulseaudio --start --log-target=syslog
syslog 10747 0.0 0.0 33452 1308 ? Sl 05:27 0:00 rsyslogd -c4
root@ev1l:/home/ev1lut10n/c# ./syslog
root@ev1l:/home/ev1lut10n/c# tail -n 2 /var/log/messages
Oct 1 05:27:22 ev1l slog[10751]: We are script kiddies ! we have owned your box ! hahahahaha
Oct 1 05:32:02 ev1l slog[10830]: We are script kiddies ! we have owned your box ! hahahahaha
======================
all c programmers must not forget to specify the format string when he use a variable as a parameter into syslog function
this is a sample of a code with format string bug when we use syslog function:
filename: buggy.c
==============
root@ev1l:/home/ev1lut10n/c# cat buggy.c
#include <stdio.h>
#include <sys/syslog.h>
int main(int argc,char **argv)
{
syslog(LOG_INFO,argv[1]);
}
==============
assemble -> linke and then test it !
===========
root@ev1l:/home/ev1lut10n/c# gcc -o buggy_syslog buggy_syslog.c
buggy_syslog.c: In function 'main':
buggy_syslog.c:9: warning: passing argument 2 of 'syslog' makes pointer from integer without a cast
root@ev1l:/home/ev1lut10n/c# ls
buggy_syslog buggy_syslog.c ev1syn ev1syn.c syslog syslog.c
root@ev1l:/home/ev1lut10n/c# ./buggy %x
root@ev1l:/home/ev1lut10n/c# tail -n 1 /var/log/syslog
Oct 1 05:47:48 ev1l buggy: 804840b
===========
as u can see the syslog messsage logged a memory addr from our stack.
Here is sample of correct usage of this fvck syslog:
=============
root@ev1l:/home/ev1lut10n/c# cat sys.c
#include <stdio.h>
#include <sys/syslog.h>
int main(int argc,char **argv)
{
syslog(LOG_INFO,"%s",argv[1]);
}
===============
here's the correct one should be:
===============================
root@ev1l:/home/ev1lut10n/c# gcc -o sys sys.c
root@ev1l:/home/ev1lut10n/c# ./sys %x
root@ev1l:/home/ev1lut10n/c# tail -n 1 /var/log/syslog
Oct 1 05:50:39 ev1l sys: %x
===============================