Hotfix: Problems with bokslogview and audit log forwarding from Replicas (HFBM-0172)

This article applies to BoKS Manager 7.0.0.

Description

Unusually long audit log messages (a total length of 2 kB or more) might get stuck in the log relay queues on the Master and Replicas, preventing the queues from being processed, so they instead build up. This might in time lead to lost messages in a large, high volume environment, since the maximum queue length is too short.

In addition, bokslogview (and bccasd) fails to parse audit log lines with SD values ending with an escaped \, e.g. "user\\".

Resolution / Workaround

To resolve these issues, apply hotfix HFBM-0172, available for download from the HelpSystems Community Portal.

This hotfix resolves the root cause of the problem, and also includes a number of other improvements to the general robustness of the audit log system in case of any unexpected faulty messages in the future:

• The length field in the relay queue is now calculated correctly for messages with a length around 2 kB.
• Certain types of log messages no longer have the full command with parameters duplicated in both the message part and structured data, e.g. suexec and ssh.
• Extremely long messages are handled more gracefully, and truncated rather than being dropped.
• The relay server (boks_blogrd) and log server (boks_blogsd) are more robust against malformed messages, to prevent faulty messages from blocking queues.
• The log relay queues now have a much higher capacity. This change not only affects the log servers, but also servc, master, and eventd.
• bokslogview and boks_bccasd now parse SD values ending with \\ correctly.