Bug ID 711248: After upgrade to 13.1.0 or later, mcpd fails to start due to syslog config parsing error.

Last Modified: Mar 21, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP Install/Upgrade, TMOS(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3

Opened: Mar 21, 2018
Severity: 3-Major
Related AskF5 Article:
K96275603

Symptoms

Prior to 13.1.0, the left square bracket character '[' was not treated as a special character and therefore did not have to be escaped with a '\'. 13.1.0 (and later) uses a newer version of syslog-ng, 3.8.1, where the left square bracket '[' is a special character and needs to be escaped. If you have a syslog filter that includes a match statement that formerly escaped only the right square bracket and not the left, when you upgrade to 13.1.0 or later, mcpd will fail to start with the following error: 01070920:3: Application error for confpp: Error parsing filter expression, error compiling search pattern, error=Error while compiling PCRE expression, error=missing terminating ] for character class, error_at=10 in /etc/syslog-ng/syslog-ng.conf.

Impact

The BIG-IP system fails to start.

Conditions

-- The pre-v13.1.0 configuration contains a syslog filter that matches a string that contains a left and right square bracket. -- Only the right square bracket is escaped with 2 backslashes. For example: filter f_ssl_acc_req { not (facility(local6) and level(info) and match('[ssl_acc\\]')) or not (facility(local6) and level(info) and match('[ssl_req\\]')); };

Workaround

You can use either of the following workarounds: -- Prior to upgrading, edit the syslog config with tmsh edit /sys syslog all-properties and escape the left square bracket with 4 backslashes '\', so for: [ssl_acc\\] change to \\\\[ssl_acc\\]. Example steps for vi editor =========================== Change from: filter f_ssl_acc_req { not (facility(local6) and level(info) and match('[ssl_acc\\]')) or not (facility(local6) and level(info) and match('[ssl_req\\]')); }; Change to: filter f_ssl_acc_req { not (facility(local6) and level(info) and match('\\\\[ssl_acc\\]')) or not (facility(local6) and level(info) and match('\\\\[ssl_req\\]')); }; For more detailed instructions see K96275603: The mcpd process may not start due to a syslog configuration parsing error after upgrading to BIG-IP 13.1.0 or later :: https://support.f5.com/csp/article/K96275603. -- You can prevent the issue from occurring altogether by defining filters using guidelines outlined in the following documents: -- K16932: Configuring the BIG-IP system to suppress sending SSL access and request messages to remote syslog servers :: https://support.f5.com/csp/article/K16932. -- Syslog-ng FAQ :: https://syslog-ng.com/wiki/syslog-ng-faq-filters.

Fix Information

None

Behavior Change