After upgrading a server running auditd to FreeBSD12 (from FreeBSD 11.2) we noticed that trail files now have a dot (.) appended to the filename, which our auditdistd receiver thinks is an invalid trail name.
Logs from our receiver:
(receiver) Sender wants to open file "20190920080142.20190920080929.", which has invalid name.
(receiver) Request failed: (seq=3) OPEN(20190920080142.20190920080929.): invalid trail file name.
(receiver) Sender requested append without first opening file.
(receiver) Request failed: (seq=4) APPEND(2646): wrong operations order.
(receiver) Sender requested closing file without first opening it.
(receiver) Request failed: (seq=5) CLOSE(20190920080142.20190920080929.): wrong operations order.
(receiver) Unable to receive request header: Socket is not connected.
Logs from our sender:
(sender) Termination signal received, exiting.
(sender) Receiver returned error (invalid trail file name), disconnecting.
(sender) Disconnected from 172.22.239.16.
I've tested upgrading the receiver to FreeBSD 12 as well but that doesn't seem to fix the issue.
I also found this thread reporting the same issue:
I can reproduce this on a recent 12.1-STABLE.
root audit 56 Nov 18 18:23 20191118172312.20191118172312.
root audit 56 Jan 7 14:44 20200107134414.not_terminated.
My initial direction was the C macro getTSstr, which is defined in contrib/openbsm/bsm/auditd_lib.h:46. But after I saw that the dot is also appended after "not_terminated" that problem must be located somewhere else.
On a recent -CURRENT (r356261) the problem doesn't exist. But the strange thing is that I didn't see any relevant changes within the last 18 months that could have caused this. At least not under contrib/openbsm/.
Perhaps this PR is the cause of
Dec 18 21:19:29 dvl auditdistd: Sandbox process exited ungracefully (pid=10469, exitcode=75).