Topic: SME 6.0.1 Unable to view http/access_log

[NickR]

On a clean install of 6.0.1 with SARG & AWSTATS contribs installed, I can view all logfiles except the http/access_log and the file it symlinks to.  The browser just sits with an hourglass forever - no errors are reported in the browser.  The following lines appear in http/admin_error_log:

Use of uninitialized value in concatenation (.) or string at /etc/e-smith/web/panels/manager/cgi-bin/viewlogfiles line 301.
print() on unopened filehandle esmith::FormMagick::LOG at /usr/lib/perl5/site_perl/esmith/FormMagick.pm line 401, <DATA> line 1.

Anyone else getting this? Is there a fix?

[mdo]

Nick,

I can confirm this problem here on some servers but I cannot figure out the pattern when it happens....
A test server which goes through every SME upgrade does this but only on the more recent httpd/acces-logs (?) Older logs (from the times when it was SME6.0 or when there was an older version for whatever contrib (?) it still can open through the server manager's view logfiles panel.

A recently (fresh) install of SMEserver 6.01 with awstats-sme-server-2.3.4-0, sarg-1.2.2-1 and e-smith-sarg-1.2.3-2 does NOT show the problem which I find quite confusing. I suspect it must come from some other contrib installation?

Our production server which is on Mitel SME 6.0, running exactly the same awstats and sarg version also shows the problem and also does allow me to look into older https/access logs (same as our test server).

Regards,
Michael Doerner

[bobk]

On my SME 6.0.1-01 test box with neither of the mentioned contribs installed, I am able to display the httpd/access-log.

However the http/admin_error_log has the the folowing entries added everytime any log file is viewed:

Use of uninitialized value in concatenation (.) or string at /etc/e-smith/web/panels/manager/cgi-bin/viewlogfiles line 301.
print() on unopened filehandle esmith::FormMagick::LOG at /usr/lib/perl5/site_perl/esmith/FormMagick.pm line 401, <DATA> line 1.
print() on unopened filehandle esmith::FormMagick::LOG at /usr/lib/perl5/site_perl/esmith/FormMagick.pm line 401, <DATA> line 1

Note that the 'FormMagick.pm line 401, <DATA> line 1' error is entered twice for every log viewed.

[NickR]

Nick,

I can confirm this problem here on some servers but I cannot figure out the pattern when it happens....
A test server which goes through every SME upgrade does this but only on the more recent httpd/acces-logs (?) Older logs (from the times when it was SME6.0 or when there was an older version for whatever contrib (?) it still can open through the server manager's view logfiles panel.

A recently (fresh) install of SMEserver 6.01 with awstats-sme-server-2.3.4-0, sarg-1.2.2-1 and e-smith-sarg-1.2.3-2 does NOT show the problem which I find quite confusing. I suspect it must come from some other contrib installation?

Michael Doerner

Thanks, Michael.  I've been playing a bit more & I find I can use the "Download" option in the browser panel to view the logfile, so that's a bit of a work-around for now & possibly points to a file mode problem.  I can't see any other contrib installed here that could possibly be trying to access httpd/access-log.  I'm using the same version of SARG, but AWSTATS is v1.0.0-2 due to familiarity & the fact that my stats go back to 2001 <g>  Oh well, more digging required!

[NickR]

On my SME 6.0.1-01 test box with neither of the mentioned contribs installed, I am able to display the httpd/access-log.

However the http/admin_error_log has the the folowing entries added everytime any log file is viewed:

Use of uninitialized value in concatenation (.) or string at /etc/e-smith/web/panels/manager/cgi-bin/viewlogfiles line 301.
print() on unopened filehandle esmith::FormMagick::LOG at /usr/lib/perl5/site_perl/esmith/FormMagick.pm line 401, <DATA> line 1.
print() on unopened filehandle esmith::FormMagick::LOG at /usr/lib/perl5/site_perl/esmith/FormMagick.pm line 401, <DATA> line 1

Note that the 'FormMagick.pm line 401, <DATA> line 1' error is entered twice for every log viewed.

Ah, I hadn't spotted that.  Hmm, the evidence is starting to point to SARG being involved - I'll try un-installing & see what happens.

[mdo]

Nick,

I also checked the download option and found this to be working for me. I find that all the logs which I cannot view in the server manager seem to be (much) larger than the ones that work so I suspect the problem actually might be a resource limitation in the server manager panel to view the files!?

Regards,
Michael

[NickR]

I also checked the download option and found this to be working for me. I find that all the logs which I cannot view in the server manager seem to be (much) larger than the ones that work so I suspect the problem actually might be a resource limitation in the server manager panel to view the files!?

Nope, I have a logrotated file that is larger than the current one & that displays fine.  I did some more playing & it seems that SARG is OK until you run the script to set up the cron jobs to produce the reports - at that point access_log becomes unviewable.  I've looked at the output of lsof, but I can't spot any problem there.

Hmm...

[NickR]

OK, this is getting wierd!  The logs rotated yesterday & now I can see the new httpd/access_log.  Interestingly, the previous one still remains unviewable, but I've noticed (using fuser) that there's a perl script (/dev/fd/4//etc/e-smith/web/panels/manager/cgi-bin/viewlogfiles) & /usr/local/bin/tai64nunix that seem wedged after I attempt to view the file in the browser.  I guess there must be something in that file which is causing tai64nunix to wedge & the script never times out.

Must be One of Those Things (TM) <g>

[NickR]

OK, this is getting wierd!  The logs rotated yesterday & now I can see the new httpd/access_log.  Interestingly, the previous one still remains unviewable, but I've noticed (using fuser) that there's a perl script (/dev/fd/4//etc/e-smith/web/panels/manager/cgi-bin/viewlogfiles) & /usr/local/bin/tai64nunix that seem wedged after I attempt to view the file in the browser.  I guess there must be something in that file which is causing tai64nunix to wedge & the script never times out.

Must be One of Those Things (TM) <g>

Ok, now I have figured out what is happening & it's nothing to do with extra contribs.  The problem is an IIS buffer overflow attack which looks like this:

SEARCH /\x90\x02\xb1\x02\xb1\......

The string is 32,743 bytes long (!) and so exceeds the line buffer size in (I think) tai64nunix.

I will report it to the Bugs team.

[Anonymous]

Nick,

I can confirm this problem here on some servers but I cannot figure out the pattern when it happens....
A test server which goes through every SME upgrade does this but only on the more recent httpd/acces-logs (?) Older logs (from the times when it was SME6.0 or when there was an older version for whatever contrib (?) it still can open through the server manager's view logfiles panel.

A recently (fresh) install of SMEserver 6.01 with awstats-sme-server-2.3.4-0, sarg-1.2.2-1 and e-smith-sarg-1.2.3-2 does NOT show the problem which I find quite confusing. I suspect it must come from some other contrib installation?

Our production server which is on Mitel SME 6.0, running exactly the same awstats and sarg version also shows the problem and also does allow me to look into older https/access logs (same as our test server).

Regards,
Michael Doerner

[dayhat]

I got the same problem when trying to open the http access_log. I choose to download instead of displaying it and that when i saw 'SEARCH /\'. My test server og SME 6.0.01 does not have this problem.