Bug #145
prelude-manager trying to input text into bytea fields and failing
0%
Description
I found weird messages in my logs like this:
prelude-manager: could not insert message into database: Query error: ERROR: invalid input syntax for type bytea .
I did some investigating, and these log entries are happening every time one of my prelude-lml entries derived from ntsyslog comes in. Here's a dump from the manager's debug output:
additional_data(0): type: string (0) meaning: Log received from data: /var/log/winmessages additional_data(1): type: string (0) meaning: Original Log data: Apr 17 00:26:35 123.123.123.123 security[failure] 681 NT AUTHORITY\SYSTEM The logon to account: Administrator by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: HOST-NAME failed. The error code was: 3221225578 could not insert message into database: Query error: ERROR: invalid input syntax for type bytea .
In the database, prelude_additionaldata's data field is indeed bytea! A cursory googling for this shows that we need to be using PQescapeBytea for this type of field.. Can someone fix this?
History
#1 Updated by Yoann VANDOORSELAERE almost 18 years ago
- Status changed from New to Assigned
#2 Updated by almost 18 years ago
Why do ntsyslog alerts cause this and not other kinds of logs? I would like to find a temporary fix if I can..
#3 Updated by Yoann VANDOORSELAERE almost 18 years ago
PQescapeBytea() is already called in order to escape the data. Could you please edit your manager configuration file, and in the database configuration section, add the following settings:
log = /tmp/manager-query.log
Then arrange to reproduce the issue, and provide the failing SQL query available from the log file.
Thanks,
#4 Updated by Yoann VANDOORSELAERE almost 18 years ago
- Status changed from Assigned to Closed
- Resolution set to fixed
Fixed in r8224
#5 Updated by Yoann VANDOORSELAERE almost 15 years ago
- Project changed from PRELUDE SIEM to LibpreludeDB
- Category deleted (
2) - Target version deleted (
0.9.8)