Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 4 subscribers
  • Views 867 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Some confd log lines are missing newline character at end of line

William Trelawny

# What is happening:

I'm sending Sophos logs to Graylog via syslog and I noticed on my Graylog server that a few logs from the Sophos UTM confd log had an additional log line appended to the end. I cross-referenced with the actual confd.log file on Sophos and it shows the same thing- there must be a missing newline ("\n") character at the end of some of the logs but not all of them.

Samples from Graylog and the confd.log are pasted below, and these are the only ones in which I noticed this behavior. The only commonality I can see is they both (and only these) include the "sys:AUTOLOAD:307()" function/method call in the log. No other logs in my confd.log include the "AUTOLOAD" string, and no other logs have this EOL issue.

It's also weird that the appended logs' timestamps are in a completely different format than all the other logs.

# Supporting evidence:

From my Graylog server:

<30>2023:04:03-18:48:52 sophos01 confd[21270]: I Role::authenticate:185() => id="3106" severity="info" sys="System" sub="confd" name="authentication successful" user="admin" srcip="10.0.1.15" sid="8f5ed9b2ee3970e638930e98a50042fbbb78bda8e3d8c96e06b12041a8fc48e9" facility="webadmin" client="webadmin.plx" call="new"<31>Apr 3 18:48:52 confd[21270]: D sys::AUTOLOAD:307() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="10.0.1.15" facility="webadmin" client="webadmin.plx" lock="none" method="get_SID"

<28>2023:04:03-19:06:48 sophos01 confd[23196]: W Message::err_set:1107() => id="3100" severity="warn" sys="System" sub="confd" name="ROLE_ACCESS_BLOCKED_TEMPORARILY (Too many wrong authentication requests, user admin is blocked for 34 seconds.)" user="anonymous" srcip="10.0.1.15" facility="webadmin" client="webadmin.plx" call="new" user_name="admin" seconds="34"<31>Apr 3 19:06:48 confd[23196]: D sys::AUTOLOAD:307() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="anonymous" srcip="10.0.1.15" facility="webadmin" client="webadmin.plx" lock="none" method="get_SID"

<28>2023:04:03-19:21:35 sophos01 confd[24434]: W Message::err_set:1107() => id="3100" severity="warn" sys="System" sub="confd" name="ROLE_AUTHENTICATION_FAILED (Cannot authenticate user admin, authentication failed.)" user="anonymous" srcip="10.0.1.15" facility="webadmin" client="webadmin.plx" call="new" user_name="admin"<31>Apr 3 19:21:35 confd[24434]: D sys::AUTOLOAD:307() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="anonymous" srcip="10.0.1.15" facility="webadmin" client="webadmin.plx" lock="none" method="get_SID"

Respective Sophos confd.log lines:

2023:04:03-18:48:52 sophos01 confd[21270]: I Role::authenticate:185() => id="3106" severity="info" sys="System" sub="confd" name="authentication successful" user="admin" srcip="10.0.1.15" sid="8f5ed9b2ee3970e638930e98a50042fbbb78bda8e3d8c96e06b12041a8fc48e9" facility="webadmin" client="webadmin.plx" call="new"<31>Apr  3 18:48:52 confd[21270]: D sys::AUTOLOAD:307() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="admin" srcip="10.0.1.15" facility="webadmin" client="webadmin.plx" lock="none" method="get_SID"

2023:04:03-19:06:48 sophos01 confd[23196]: W Message::err_set:1107() => id="3100" severity="warn" sys="System" sub="confd" name="ROLE_ACCESS_BLOCKED_TEMPORARILY (Too many wrong authentication requests, user admin is blocked for 34 seconds.)" user="anonymous" srcip="10.0.1.15" facility="webadmin" client="webadmin.plx" call="new" user_name="admin" seconds="34"<31>Apr  3 19:06:48 confd[23196]: D sys::AUTOLOAD:307() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="anonymous" srcip="10.0.1.15" facility="webadmin" client="webadmin.plx" lock="none" method="get_SID"
2023:04:03-19:21:35 sophos01 confd[24434]: W Message::err_set:1107() => id="3100" severity="warn" sys="System" sub="confd" name="ROLE_AUTHENTICATION_FAILED (Cannot authenticate user admin, authentication failed.)" user="anonymous" srcip="10.0.1.15" facility="webadmin" client="webadmin.plx" call="new" user_name="admin"<31>Apr  3 19:21:35 confd[24434]: D sys::AUTOLOAD:307() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="anonymous" srcip="10.0.1.15" facility="webadmin" client="webadmin.plx" lock="none" method="get_SID"


										


				This thread was automatically locked due to age.
				

					


				
				
		

			
						
									
						
						
						
			
			
			
			
		


			





	

		
	











	

	

					



			


				
	









	
    
	

  • 
	
    



	
		
	
	



    
	
    
		
    
							
					
    
		
    
			
													0
							
			
				
									
							
						
				
			
					
    
	
    

		
		
    
					
    It appears that some logs from the Sophos UTM confd log that are sent to Graylog via syslog are missing a newline character at the end, resulting in an additional log line being appended to the end of the affected logs. This issue only occurs with logs that include the "sys:AUTOLOAD:307()" function call, and the timestamps for the appended logs are in a different format than all other logs. The logs themselves contain information about successful and failed user authentication attempts.
    

    

    

    

    

    

    

    

    

    

    

      

    • In this case, the Sophos logs are sent to Graylog via syslog, but some of the logs are missing a newline character at the end. A newline character is used to indicate the end of a log entry and separate it from the next log entry. Without the newline character, the next log entry is appended to the end of the current log entry, resulting in the additional log line being seen in Graylog.
      • 

    • The missing newline character only affects logs that include the "sys:AUTOLOAD:307()" function call, which is a method used in the confd log. It is likely that the logging mechanism used by Sophos does not properly handle logs that end with this function call, resulting in the missing newline character.
      • 

    • The affected logs contain information about user authentication attempts. Some logs indicate successful authentication, while others indicate failed authentication due to incorrect login credentials or too many failed attempts.
      • 

    • The timestamps for the appended logs are in a different format than all other logs, indicating that they were generated by a different logging mechanism. It is possible that the missing newline character issue is related to this difference in logging mechanism.
      • 

    

    

    

    

    

    

    

    

    

    

    

    

    

    

    

    

    

    

    

    
				                    
    
                
    
            
    
        	
    

		
		
		
		
	
    
	
    
		
    
			
		
    
	
    
	
    
		
						
				
				
				
				
				
		
		
    
			
		
    
	
    

    

    • 

	





	
			





















































			











Unfiltered HTML