Graylog GROK patterns buffer overflow


(seziga) #1

Graylog 2.4.6
elasticsearch 5.6 .12
nginx 1.14.0

We have bad messages(corrupted) from nginx 1.14 error_log size 2048 byte with GROK pattern

nginx:\s(?%{YEAR}[./-]%{MONTHNUM}[./-]%{MONTHDAY}[- ]%{TIME}) [%{LOGLEVEL:severity}] %{POSINT:pid222}#%{NUMBER}: (?(.|\r|\n)*)(?:, client: %{IPORHOST:remote_addr})(?:, server: %{IPORHOSTORUNDERSCORE:server})(?:, request: %{QS:request})?(?:, upstream: “%{URI:upstream}”)?(?:, host: %{QS:host})?(?:, referrer: “%{URI:http_referer}”)?$

<187>Sep 24 16:10:46 jamingo.xyz.org nginx: 2018/09/24 16:10:46 [error] 94210#94210: *768531 FastCGI sent in stderr: "-web/releases/jamingo-andy-bli-opacweb-20180922174622/cacadenol/modules/database/classes/database/mysqli.php on line 52
PHP message: PHP Warning mysqli_connect(): (HY000/2002): Connection refused in file /var/www/jamingo-andy-bli-opacweb/releases/jamingo-andy-bli-opacweb-20180922174622/cacadenol/modules/database/classes/database/mysqli.php on line 52
PHP message: PHP Warning mysqli_connect(): (HY000/2002): Connection refused in file /var/www/jamingo-andy-bli-opacweb/releases/jamingo-andy-bli-opacweb-20180922174622/cacadenol/modules/database/classes/database/mysqli.php on line 52
PHP message: PHP Warning mysqli_connect(): (HY000/2002): Connection refused in file /var/www/jamingo-andy-bli-opacweb/releases/jamingo-andy-bli-opacweb-20180922174622/cacadenol/modules/database/classes/database/mysqli.php on line 52
PHP message: PHP Warning mysqli_connect(): (HY000/2002): Connection refused in file /var/www/jamingo-andy-bli-opacweb/releases/jamingo-andy-bli-opacweb-20180922174622/cacadenol/modules/database/classes/database/mysqli.php on line 52
PHP message: PHP Warning mysqli_connect(): (HY000/2002): Connection refused in file /var/www/jamingo-andy-bli-opacweb/releases/jamingo-andy-bli-opacweb-20180922174622/cacadenol/modules/database/classes/database/mysqli.php on line 52
PHP message: PHP Warning mysqli_connect(): (HY000/2002): Connection refused in file /var/www/jamingo-andy-bli-opacweb/releases/jamingo-andy-bli-opacweb-20180922174622/cacadenol/modules/database/classes/database/mysqli.php on line 52
PHP message: PHP Warning mysqli_connect(): (HY000/2002): Connection refused in file /var/www/jamingo-andy-bli-opacweb/releases/jamingo-andy-bli-opacweb-20180922174622/cacadenol/modules/database/classes/database/mysqli.php on line 52
PHP message: PHP Warning mysqli_connect(): (HY000/2002): Connection refused in file /var/www/jamingo-andy-bli-opacweb/releases/jamingo-andy-bli-opacweb-20180922174622/caca

this message is parsed very well without errors. but if we send a message from nginx error log with a length of 4096 bytes. this message is not processed, and there are too many errors in the logs graylog

2018-09-25T16:42:20.260+03:00 WARN  [ProcessBuffer] Unable to process event MessageEvent{raw=null, message=null, messages=null}, sequence 285361587                                                        
java.lang.StackOverflowError: null                                                                                                                                                                         
        at java.util.regex.Pattern$GroupHead.match(Pattern.java:4660) ~[?:1.8.0_181]                                                                                                                       
        at java.util.regex.Pattern$Loop.match(Pattern.java:4787) ~[?:1.8.0_181]                                                                                                                            
        at java.util.regex.Pattern$GroupTail.match(Pattern.java:4719) ~[?:1.8.0_181]                                                                                                                       
        at java.util.regex.Pattern$BranchConn.match(Pattern.java:4570) ~[?:1.8.0_181]                                                                                                                      
        at java.util.regex.Pattern$CharProperty.match(Pattern.java:3779) ~[?:1.8.0_181]                                                                                                                    
        at java.util.regex.Pattern$Branch.match(Pattern.java:4606) ~[?:1.8.0_181]                                                                                                                          
        at java.util.regex.Pattern$GroupHead.match(Pattern.java:4660) ~[?:1.8.0_181]                                                                                                                       
        at java.util.regex.Pattern$Loop.match(Pattern.java:4787) ~[?:1.8.0_181]                                                                                                                            
        at java.util.regex.Pattern$GroupTail.match(Pattern.java:4719) ~[?:1.8.0_181]                                                                                                                       
        at java.util.regex.Pattern$BranchConn.match(Pattern.java:4570) ~[?:1.8.0_181]                                                                                                                      
        at java.util.regex.Pattern$CharProperty.match(Pattern.java:3779) ~[?:1.8.0_181]                                                                                                                    
        at java.util.regex.Pattern$Branch.match(Pattern.java:4606) ~[?:1.8.0_181]                                                                                                                          
        at java.util.regex.Pattern$GroupHead.match(Pattern.java:4660) ~[?:1.8.0_181]                                                                                                                       
        at java.util.regex.Pattern$Loop.match(Pattern.java:4787) ~[?:1.8.0_181]                                                                                                                            
        at java.util.regex.Pattern$GroupTail.match(Pattern.java:4719) ~[?:1.8.0_181]                                                                                                                       
        at java.util.regex.Pattern$BranchConn.match(Pattern.java:4570) ~[?:1.8.0_181]                                                                                                                      
        at java.util.regex.Pattern$CharProperty.match(Pattern.java:3779) ~[?:1.8.0_181]                                                                                                                    
        at java.util.regex.Pattern$Branch.match(Pattern.java:4606) ~[?:1.8.0_181]                                                                                                                          
        at java.util.regex.Pattern$GroupHead.match(Pattern.java:4660) ~[?:1.8.0_181]                                                                                                                       
        at java.util.regex.Pattern$Loop.match(Pattern.java:4787) ~[?:1.8.0_181]                                                                                                                            
        at java.util.regex.Pattern$GroupTail.match(Pattern.java:4719) ~[?:1.8.0_181]                                                                                                                       
        at java.util.regex.Pattern$BranchConn.match(Pattern.java:4570) ~[?:1.8.0_181]                                                                                                                      
        at java.util.regex.Pattern$CharProperty.match(Pattern.java:3779) ~[?:1.8.0_181]                                                                                                                    
        at java.util.regex.Pattern$Branch.match(Pattern.java:4606) ~[?:1.8.0_181]                                                                                                                          
        at java.util.regex.Pattern$GroupHead.match(Pattern.java:4660) ~[?:1.8.0_181]     

this pattern multi line parsing (?(.|\r|\n)*) not work with 4096 bytes messages and buffer overflow occurs sequence 285361587 .


(Jan Doberstein) #2

Please do not post the same message on multiple channels.

For reference, https://github.com/Graylog2/graylog2-server/issues/5155


(system) #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.