Last Modified: Oct 17, 2023
Affected Product(s):
BIG-IP Install/Upgrade, TMOS
Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4
Opened: Mar 21, 2018 Severity: 3-Major Related Article:
K96275603
Prior to 13.1.0, the left square bracket character '[' was not treated as a special character and therefore did not have to be escaped with a '\'. 13.1.0 (and later) uses a newer version of syslog-ng, 3.8.1, where the left square bracket '[' is a special character and needs to be escaped. If you have a syslog filter that includes a match statement that formerly escaped only the right square bracket and not the left, when you upgrade to 13.1.0 or later, mcpd will fail to start with the following error: 01070920:3: Application error for confpp: Error parsing filter expression, error compiling search pattern, error=Error while compiling PCRE expression, error=missing terminating ] for character class, error_at=10 in /etc/syslog-ng/syslog-ng.conf.
The BIG-IP system fails to start.
-- The pre-v13.1.0 configuration contains a syslog filter that matches a string that contains a left and right square bracket. -- Only the right square bracket is escaped with 2 backslashes. For example: filter f_ssl_acc_req { not (facility(local6) and level(info) and match('[ssl_acc\\]')) or not (facility(local6) and level(info) and match('[ssl_req\\]')); };
You can use either of the following workarounds: -- Prior to upgrading, edit the syslog config with tmsh edit /sys syslog all-properties and escape the left square bracket with 2 backslashes '\', so for: [ssl_acc\\] change to \\[ssl_acc\\]. If you are upgrading to a version before 13.0.0, 13.1.0 or 12.1.5 then please follow the steps further down. Example steps for vi editor =========================== Change from: filter f_ssl_acc_req { not (facility(local6) and level(info) and match('[ssl_acc\\]')) or not (facility(local6) and level(info) and match('[ssl_req\\]')); }; Change to: filter f_ssl_acc_req { not (facility(local6) and level(info) and match('\\[ssl_acc\\]')) or not (facility(local6) and level(info) and match('\\[ssl_req\\]')); }; For any version prior to these below will need 4 backslashes '\\\\' before the [ bracket due to bug ID 631334 not being fixed. Anything Prior to these versions will need 4 \\\\ 13.0.0 13.1.0 12.1.5 Example steps for vi editor =========================== Change from: filter f_ssl_acc_req { not (facility(local6) and level(info) and match('[ssl_acc\\]')) or not (facility(local6) and level(info) and match('[ssl_req\\]')); }; Change to: filter f_ssl_acc_req { not (facility(local6) and level(info) and match('\\\\[ssl_acc\\]')) or not (facility(local6) and level(info) and match('\\\\[ssl_req\\]')); }; For more detailed instructions see K96275603: The mcpd process may not start due to a syslog configuration parsing error after upgrading to BIG-IP 13.1.0 or later :: https://support.f5.com/csp/article/K96275603. -- You can prevent the issue from occurring altogether by defining filters using guidelines outlined in the following documents: -- K16932: Configuring the BIG-IP system to suppress sending SSL access and request messages to remote syslog servers :: https://support.f5.com/csp/article/K16932. -- Syslog-ng FAQ :: https://syslog-ng.com/wiki/syslog-ng-faq-filters.
None