Bug in Asterisk Logfiles Module ver 15.0.4

Last week a security update was published for the Asterisk Logfiles module to resolve a cross site scripting vulnerability, version 15.0.4. Many (perhaps most) systems would have received the update and installed it automatically in the early morning of August 19. In addition to the XSS fix, there were improvements in logfiles browsing as well as updates on the way the logfiles are managed.

Version 15.0.4 has a new bug that changed the default settings for the full log and console such that logging was completely disabled. The fail2ban asterisk log generated by System Admin for Intrustion Detection was not affected. There are several reports in a few threads here in the forum about this. The immediate work around was to browse to Settings, Asterisk Logfiles and manually enable the log levels desired for both full and console.

As of a few hours ago, there is an updated ver (15.0.7) in the edge repo which resolves this issue. The workaround will continue to work, but you can also update to edge using this command:

fwconsole ma upgrade logfiles --edge

After you apply config, you can confirm log levels are restored to normal with the Asterisk command:

58448910*CLI> logger show channels
Logger queue limit: 1000

Channel                             Type     Formatter  Status    Configuration
-------                             ----     ---------  ------    -------------
/var/log/asterisk/full              File     default    Enabled    - DEBUG NOTICE WARNING ERROR VERBOSE
/var/log/asterisk/fail2ban          File     default    Enabled    - NOTICE WARNING SECURITY
                                    Console  default    Enabled    - DEBUG NOTICE WARNING ERROR VERBOSE
7 Likes

Excellent information.
Worked as described.
Thank you.

1 Like

try this message:
logfiles is the same as the online version, unable to upgrade

Dear Lorne,

from time to time there is a problem from logrotate, saying /etc/cron.daily/logrotate: error opening /var/log/asterisk/fail2ban-202204xx: Permission denied.
Where logfile has a T-flag for what reason ever and therefore cant’t rotated/deleted.
Would you mind updgrading the cron-job with a “chmod 640 /var/log/fail2ban*” at the beginning? What I can find out, that it is always the “oldest” file which causes the error message, which should have been deleted by the cron-job.
Otherwise I do not have any idea how to find out the reason for the “T”-flag of the file.