Wednesday, May 24, 2006

Syslog-ng 2.0.0 release date

It was just a week or two ago when someone asked me about the planned release date of syslog-ng 2.0.0, the first stable release of the third incarnation of syslog-ng. Probably I did not even respond to the email as I did not know the answer. "When it's ready" is an answer users do not usually perceive very well.

It is very difficult to judge when a rewrite of such a critical software package is stable enough for production use: I wrote both functional and unit tests, used syslog-ng on my laptop for over a year now, but as I currently lack a system were non-production code can be uploaded, syslog-ng was drifting slowly in the stabilization process: whenever someone reported a bug, I fixed it.

So the release date in the current state is determined by the syslog-ng user community and not me. IF there's certain confidence that a pile of code runs fine, it can be tagged stable and everyone can be happy. If there is no feedback, an optimist might think that everything is going fine, the pessimist would say that nobody is using the product.

My point is that positive feedback is _VERY_ important, it is an indication that people are using the code, but have no problems.

syslog-ng 1.9.x is currently in feature freeze, I don't plan to do anything that threatens stability, but this also means that people waiting for things like message rewrite capabilities need to wait until syslog-ng 2.0.0 is out of the door. And the key to that is YOUR participation: download the latest release, try it and report back. Even, if it works. Especially if you are not running Debian, which I happen to run on my notebook.

Friday, May 19, 2006

Thinking about rewrite rules

Again the question on Solaris message IDs was raised in an email sent to me in private. For those who don't know how a Solaris msgid looks like, look at this example:

May 14 18:51:57 inbound2 su: [ID 366847 auth.notice] 'su root' succeeded

I was asked to include an MSGNOID macro which excludes this msgid in the final destination. The problem I have with this approach is that it simply does not scale: there are simply too many combinations to cover with various macros, an example using the msgid case:
  • a macro that includes neither the name of the program, nor the msgid
  • a macro that includes program name only
  • a macro that includes msgid but not the program name
  • a macro that includes both the program name and the msgid
As you can imagine this quickly becomes a maintenance nightmare even if one finds out a proper name for all of these combinations, especially if you add that other devices have their own extensions to syslog.

What I am pondering is to renew my old ideas about adding sed-like rewrite rules to syslog-ng, something along the lines of:

rewrite r_msgid { msg("s/\[ID [0-9]+ [a-z]+\.[a-z]+\]//");

log { source(s_local); filter(f_noid); rewrite(r_msgid); destination(d_messages); };


Of course similar functionality would be added to manipulate all syslog message parts, like hostname. The results would become part of the message itself, thus macros would use the rewritten message. And by the way backreferences could be used to refer various parts of the message, matched by regexps.

What do you think?

Saturday, May 06, 2006

syslog-ng 1.6.11 released

I have released syslog-ng 1.6.11 which fixes the problems outlined in the previous post. You can find it at the BalaBit website.

Tuesday, May 02, 2006

syslog-ng 1.6.10 broken

Just a quick one, it turned out that syslog-ng 1.6.10 is broken in several ways, first reading messages from /proc/kmsg is broken, and second the time_sleep() feature that was added in 1.6.10 has missed an important chunk from the parser code which made time_sleep() unconfigurable.

So a feature that cannot be used and an important problem. :(

I'm going to release syslog-ng 1.6.11 soon.

Infosec in London

I spent the last week in London, visiting InfoSec Europe. It was a great fun, I liked the exhibition as well as the city itself.

I have not been to London before (except for a single-day business trip two years ago, but that does not count), and I liked the city very much. I walked about 40-50km on these three days, I had my legs completely worn out. British people are quite strange I would say. Everything is completely in the reverse: the cars, the direction the trains arrive from, the way the taps need to be opened, I think even the screws must be unmounted in the reverse direction. I hated these non-mixing taps, one tap for cold another for hot water, no way to mix something tepid. Beside this strangeness I liked the atmosphere of the city, I visited all the important places, I even spent two hours in the British Museum, but it was nothing but a scratch on the surface.

The exhibition was also interesting, met a couple of interesting persons, like the Watchfire guys who invented HTTP request smuggling and some real computer forensics guys. We were talking about the problems with encryption vs. forensics and what possible solutions there are to this problem.

All in all it was an exhausting week.