Hi everyone,
I'm not sure where/how to file a bug report - but we have a nessus scanner running on our network that sends garbage to tcp/udp ports it discovers to find exploits.
When this happens, it kills the logstash listeners with no real descriptive error:
{:timestamp=>"2016-02-08T05:05:07.472000-0700", :message=>"syslog listener died", :protocol=>:udp, :address=>"XXX.XXX.XXX.XXX:514", :exception=>#<SocketError: recvfrom: name or service not known>, :backtrace=>["C:/logstash-2.1.1/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-2.0.2/lib/logstash/inputs/syslog.rb:138:in `udp_listener'", "C:/logstash-2.1.1/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-2.0.2/lib/logstash/inputs/syslog.rb:117:in `server'", "C:/logstash-2.1.1/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-2.0.2/lib/logstash/inputs/syslog.rb:97:in `run'"], :level=>:warn}
{:timestamp=>"2016-02-08T05:05:07.472000-0700", :message=>"syslog listener died", :protocol=>:udp, :address=>"XXX.XXX.XXX.XXX:515", :exception=>#<SocketError: recvfrom: name or service not known>, :backtrace=>["C:/logstash-2.1.1/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-2.0.2/lib/logstash/inputs/syslog.rb:138:in `udp_listener'", "C:/logstash-2.1.1/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-2.0.2/lib/logstash/inputs/syslog.rb:117:in `server'", "C:/logstash-2.1.1/vendor/bundle/jruby/1.9/gems/logstash-input-syslog-2.0.2/lib/logstash/inputs/syslog.rb:97:in `run'"], :level=>:warn}
I managed to grab a couple of strings that nessus is sending to the sockets, and it looks like it's sending unicode chars in an attempt to run arbitrary code. I don't believe that these particular strings are what's killing the listeners, and are only examples of the types of garbage that nessus is writing to the sockets. I would be happy to help track this down, if I can get some guidance on figuring out exactly what is making the listeners die.
\u0002lp\n
\u0004\fTOB\n
\u0004nessus-1454933147 \n
Input config:
input {
syslog {
host => "XXX.XXX.XXX.XXX"
codec => plain { charset => "CP1252" }
port => 514
type => "syslog1"
}
syslog {
host => "XXX.XXX.XXX.XXX"
port => 515
type => "syslog2"
}
}