Un1x Syslog Knowledge for Kids

by:ev1lut10n

I guess all of u know what syslog is. this syslog is a standart utility under most unix that will
log any messages of a program.  Most sysadmin can read this log at /var/log/syslog

ex:
==========
root@ev1l:/home/ev1lut10n#  tail -n 10 /var/log/syslog
Oct  1 04:39:01 ev1lut10n-Vostro1310 CRON[9609]: (root) CMD (  [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth
-mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) -delete)
Oct  1 04:46:19 ev1lut10n-Vostro1310 dhclient: DHCPREQUEST of ****ip censored***** on eth0 to 10.255.9.48 port 67
Oct  1 04:46:19 ev1lut10n-Vostro1310 dhclient: DHCPACK of ****ip censored***** from 10.255.9.48
Oct  1 04:46:19 ev1lut10n-Vostro1310 dhclient: bound to ****ip censored***** -- renewal in 742 seconds.
Oct  1 04:58:41 ev1lut10n-Vostro1310 dhclient: DHCPREQUEST of ****ip censored***** on eth0 to 10.255.9.48 port 67
Oct  1 04:58:41 ev1lut10n-Vostro1310 dhclient: DHCPACK of ****ip censored***** from 10.255.9.48
Oct  1 04:58:41 ev1lut10n-Vostro1310 dhclient: bound to ****ip censored***** -- renewal in 425 seconds.
Oct  1 05:05:46 ev1lut10n-Vostro1310 dhclient: DHCPREQUEST of ****ip censored***** on eth0 to 10.255.9.48 port 67
Oct  1 05:05:46 ev1lut10n-Vostro1310 dhclient: DHCPACK of ****ip censored***** from 10.255.9.48
Oct  1 05:05:46 ev1lut10n-Vostro1310 dhclient: bound to ****ip censored***** -- renewal in 882 seconds.
==========

below are some various c operation related to syslog:
- openlog
- syslog
- closelog

exactly when we need to do a syslog there will be something called priority as we can see on /usr/include/sys/syslog.h (on my box) :
=======
CODE prioritynames[] =
 {
   { "alert", LOG_ALERT },
   { "crit", LOG_CRIT },
   { "debug", LOG_DEBUG },
   { "emerg", LOG_EMERG },
   { "err", LOG_ERR },
   { "error", LOG_ERR },               /* DEPRECATED */
   { "info", LOG_INFO },
   { "none", INTERNAL_NOPRI },         /* INTERNAL */
   { "notice", LOG_NOTICE },
   { "panic", LOG_EMERG },             /* DEPRECATED */
   { "warn", LOG_WARNING },            /* DEPRECATED */
   { "warning", LOG_WARNING },
   { NULL, -1 }
 };
======

desc:
LOG_EMERG  = system unusable
LOG_ALERT = need a fast action
LOG_CRITICAL = critical condition (in some online game, ex: Ran Online : critical damage ;-p )
LOG_INFO = informational message
and so on ... (sorry I'm lazy just googling for more info about the priorities)


below is a sample c code using syslog function that will log our message
==============
root@ev1l:/home/ev1lut10n/c# cat syslog.c
#include <stdio.h>
#include <sys/syslog.h>
int main()
{
/**first we open log**/
openlog("slog", LOG_PID|LOG_CONS, LOG_USER);
/**the we do our syslog**/
syslog(LOG_INFO, "We are script kiddies ! we have owned your box ! hahahahaha");
/**then we need to close the log**/
closelog();
}
root@ev1l:/home/ev1lut10n/c# gcc -o syslog syslog.c
root@ev1l:/home/ev1lut10n/c# ./syslog
root@ev1l:/home/ev1lut10n/c# tail -n 1 /var/log/syslog
Oct  1 05:26:24 ev1lut10n-Vostro1310 slog[10730]: We are script kiddies ! we have owned your box ! hahahahaha
==============


these messages actually logged by the syslogd
==================

root@ev1l:/home/ev1lut10n# ps aux | grep syslog
syslog     830  0.0  0.0  34608  1272 ?        Sl   00:58   0:00 rsyslogd -c4
root@ev1l:/home/ev1lut10n/c# kill -9 830
root@ev1l:/home/ev1lut10n/c# ./syslog
==================

then there will be no more syslog logging:
============
root@ev1l:/home/ev1lut10n/c# tail /var/log/syslog
Oct  1 05:20:28 mywisdom-Vostro1310 dhclient: DHCPACK of 139.195.54.157 from 10.255.9.48
Oct  1 05:20:28 mywisdom-Vostro1310 dhclient: bound to 139.195.54.157 -- renewal in 693 seconds.
Oct  1 05:25:30 mywisdom-Vostro1310 slog[10701]: #012We are script kiddies ! we have owned your box ! hahahahaha
Oct  1 05:26:24 mywisdom-Vostro1310 slog[10730]: We are script kiddies ! we have owned your box ! hahahahaha
Oct  1 05:27:19 ev1l kernel: imklog 4.2.0, log source = /proc/kmsg started.
Oct  1 05:27:19 ev1l rsyslogd: [origin software="rsyslogd" swVersion="4.2.0" x-pid="10747" x-info="http://www.rsyslog.com"] (re)start
Oct  1 05:27:19 ev1l rsyslogd: rsyslogd's groupid changed to 103
Oct  1 05:27:19 ev1l rsyslogd: rsyslogd's userid changed to 101
Oct  1 05:27:19 ev1l rsyslogd-2039: Could no open output file '/dev/xconsole' [try http://www.rsyslog.com/e/2039 ]
Oct  1 05:27:22 ev1l slog[10751]: We are script kiddies ! we have owned your box ! hahahahaha
=============

[Wrong Usage of Syslog resulted a Format String Bug]

ok wrong usage of this syslog is very dangerous
start the syslogd again:
=====================
root@ev1l:/home/ev1lut10n/c# locate rsyslogd
/usr/sbin/rsyslogd
/usr/share/man/man8/rsyslogd.8.gz
root@ev1l:/home/ev1lut10n/c# /usr/sbin/rsyslogd
Already running.
root@ev1l:/home/ev1lut10n/c# ps aux | grep syslog
mywisdom  1628  4.1  0.5 163672 11412 ?        S<sl 00:58  11:20 /usr/bin/pulseaudio --start --log-target=syslog
syslog   10747  0.0  0.0  33452  1308 ?        Sl   05:27   0:00 rsyslogd -c4
root@ev1l:/home/ev1lut10n/c# ./syslog
root@ev1l:/home/ev1lut10n/c# tail -n 2 /var/log/messages
Oct  1 05:27:22 ev1l slog[10751]: We are script kiddies ! we have owned your box ! hahahahaha
Oct  1 05:32:02 ev1l slog[10830]: We are script kiddies ! we have owned your box ! hahahahaha
======================

all c programmers must not forget to specify the format string when he use a variable as a parameter into syslog function

this is a sample of a code with format string bug when we use syslog function:
filename: buggy.c
==============
root@ev1l:/home/ev1lut10n/c# cat buggy.c
#include <stdio.h>
#include <sys/syslog.h>
int main(int argc,char **argv)
{
syslog(LOG_INFO,argv[1]);
}

==============

assemble -> linke and then test it !
===========
root@ev1l:/home/ev1lut10n/c# gcc -o buggy_syslog buggy_syslog.c
buggy_syslog.c: In function 'main':
buggy_syslog.c:9: warning: passing argument 2 of 'syslog' makes pointer from integer without a cast
root@ev1l:/home/ev1lut10n/c# ls
buggy_syslog  buggy_syslog.c  ev1syn  ev1syn.c  syslog  syslog.c
root@ev1l:/home/ev1lut10n/c# ./buggy %x
root@ev1l:/home/ev1lut10n/c# tail -n 1 /var/log/syslog
Oct  1 05:47:48 ev1l buggy: 804840b
===========

as u can see the syslog messsage logged a memory addr from our stack.

Here is sample of correct usage of this fvck syslog:
=============
root@ev1l:/home/ev1lut10n/c# cat sys.c
#include <stdio.h>
#include <sys/syslog.h>
int main(int argc,char **argv)
{
syslog(LOG_INFO,"%s",argv[1]);
}

===============

here's the correct one should be:

===============================
root@ev1l:/home/ev1lut10n/c# gcc -o sys sys.c
root@ev1l:/home/ev1lut10n/c# ./sys %x
root@ev1l:/home/ev1lut10n/c# tail -n 1 /var/log/syslog
Oct  1 05:50:39 ev1l sys: %x
===============================

You are viewing proxied material from sdf.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.