Good day all ,

does Elog has a paid version that is not open soureced 

regards

William Vasio 

There is only an open source version.

Good day all ,

does Elog has a paid version that is not open soureced 

regards

William Vasio 

We're up to 30 logbooks, 3.2GB data total and Elog damen has now become slow. Performance stats show 100%CPU on startup then reduces. Searches and general UI activity is slow. It runs on a VM with 4GB memory allocated. Up to 15 concurrent users.

Trimming and archiving some data files may help but I gather overall this is underpowered hardware in this instance so what is recommended system requirements for a config like this?

We have 68 logbooks and currently 60 GB data total. We run it as well on a VM, in our case with 8GB RAM.
The speed of ELOG is mostly given by the filesystem: when we had AFS it was very slow. With NFS it was better. But we now use a local disk on the VM: that is much better.
If you want to have the best performance (upload of large files can still slow down all users) then I would recomment local SSD for the file system of elogd.

You might talk to your system administrator: they can likely provide a local SSD on the VM server host.

I would like to edit an existing entry by adding new attachments at each call of elog from the command line.

If I issue

elog -h localhost -p 8XXX -l test -f /path/to/file_0.pdf -e N -x

and then 

elog -h localhost -p 8XXX -l test -f /path/to/file_1.pdf -e N -x

file_1.pdf replaces file_0.pdf, while I'd like entry N to have both pdfs.

Is there a workaround?

Hi I am running elog on windows 2022 server and trying to use ldap for Auth.

No matter what i do I cannot get it to authenticate against the DC.

Invalid user name or password!

11-May-2022 17:09:15 [xxx.xxx.xxx.xxx] {TrainingHouse1} LOGIN user "xxxxx" (attempt)

Using an LDAP browser I can connect to the DC without issue so not firewall.

Not sure what I am doing wrong.

[global]
port = 5050
Page title = Elog Training
Entries per page = 25
Password file = password.pwd
List page title = Elog Training
Login page title = Elog Training
Show top groups = 0
Logbook tabs = 0
Menu commands = Back, New, Find, Download, Logout
List Menu commands = New, Find, Logout
Self register = 0
Max content length = 100000
Allow password change = 0
Enable attachments = 0
Show attachments = 0
Hide attachments = 1
List after submit = 1
Logout to main = 0
Allowed encoding = 5
Default encoding = 1
Welcome title = Elog Training LogBook.
## Welcome title = <font size=5 color=white>Elog Training LogBook </font><img src="elog.png">
Summary lines = 5
Summary line length = 100
Search all logbooks = 0
Refresh = 300
Login expiration = 0
Reply string = 
Suppress default = 2
Thread display = $category entered by $author on $Entry time
Thread icon = Icon
Preset on reply author = $long_name
All display limit = 300
Start page = ?last=31
Bottom text =
Bottom text login = <font size=5 color=Red><center></br>ELOG Training web site</center></font>

[ADTrainingHouse1]
Hidden = 0
Authentication = LDAP, File
LDAP server = ldap://xxxxxx.xxxxx.xxxx.xxxx.xxxx.au:389
LDAP userbase = OU=Users,OU=CP,DC=xxxx,DC=xxxx,DC=xxxx,DC=xxxx,DC=au
LDAP login attribute = uid
LDAP register = 0
Theme = default
Comment =Training House 1 LogBook
Preset Author = $long_name
Locked Attributes = Author
Attributes = Category, Codes, Residents Involved, Medical, Synopsis, Event Date, Author
Options Synopsis = Yes, No
MOptions Medical = Yes
MOptions Residents Involved = Pleaseadd, Test User
Extendable options = Residents Involved
Style Synopsis Yes = background-color:yellow
Style Medical Yes = background-color:green
Type Event Date = datetime
Preset Event Date = $datetime
Date format %A %B %d %Y %H:%M 
List Display = ID, Event Date, Category, Medical, Codes, Residents Involved, Synopsis, Date, Author
MOptions Category = Assault, Death, Fire, Illness, Inappropriate Sexualised Behaviour, Injury To Child, Injury To Staff, Property Damage, Self-Harm, Substance Misuse, Theft/Loss, Threat
MOptions Codes = MED, ACH, LEGAL, MPR, P/C, PSYCH, MFP, BEH, INC, CM, FAM, INFO, MVT, OBS, POLICE, PROG, ROU, VIS, S/O
Required Attributes = Author, Event Date, Codes
Style Codes MED = background-color:green
Page Title = DCP Elog Training
Reverse sort = 1
Quick filter = Date, Category, Codes, Medical,
Sort Attributes = Event Date
Logfile = traininghouse1.log
Logging level = 3
Bottom text =

Is anyone able to assist with what I am doing wrong is anyone successful used LDAP in windows elog

Ubuntu LTS 20.04 and others have elog PDF preview disabled by default. To enable,
please follow these steps, see https://daq00.triumf.ca/DaqWiki/index.php/Ubuntu#Enable_elog_PDF_preview

Enable elog PDF preview
see https://stackoverflow.com/questions/52998331/imagemagick-security-policy-pdf-blocking-conversion

xemacs -nw /etc/ImageMagick-6/policy.xml
remove this section at the end:
<!-- disable ghostscript format types -->
<policy domain="coder" rights="none" pattern="PS" />
<policy domain="coder" rights="none" pattern="PS2" />
<policy domain="coder" rights="none" pattern="PS3" />
<policy domain="coder" rights="none" pattern="EPS" />
<policy domain="coder" rights="none" pattern="PDF" />
<policy domain="coder" rights="none" pattern="XPS" />

K.O.

I have a PDF file created by root which ImageMagic cannot convert to a .png file. If I do

convert img.pdf img.png

it works on my mac, but under RH7.4 the program goes into an infinite loop eating 100% CPU.

I attached the img.pdf, but compressed it to img.pdf.gz, otherwise I cannot post here.

Can anyone figure out why ImageMagick won't convert that file?

Dear all, 

I have a question for you. On my elog server I have plenty of images not included in any logbook entry, but that nevertheless I would the user to have access to that via the browser. In order words, I would like to have a link like this https://myelog/my_pics_folder/my_pic.png

I have realized that if I put my_pics_folder in the script folder, then it works as I wanted, but I strongly doubt this is the right position. If I put in the resources folder, it is not found and the elogd displays a message saying that my_pics_folder is not a valid logbook.

Do you have any suggestions for this problem? 

Thanks in advance and enjoy your day!

toto

Hi, I have been using elog for years at CERN.

Now I installed in my local workstation at my home inistitue

and sysadmin reported the following vulnerabilities:

  - Configuration File Disclosure (CVE-2019-3992)

  - Password Hash Disclosure (CVE-2019-3993)

  - Use After Free (CVE-2019-3994)

  - NULL Pointer Dereference (CVE-2019-3995)

  - Unintended Proxy (CVE-2019-3996)

Am I doing soimething wrong?

sysadmin will not allow me to use it until it is fixed....

Any help is welcome.

The CVEs you refer to are very old and have been fixed a long time ago.

Please refer to:
https://www.tenable.com/security/research/tra-2019-53

This report states that all the reported problems are fixed as of ELOG 3.1.4-283534d or later.

Note that the elog git history does not refer to these CVEs because
they were fixed before the CVE number was assigned, per "Disclosure Timeline"
in the above document. The relevant commits are listed under "Additional References".

K.O.

Ok, many many thanks!
I will pass the info to my sysadmin.
Best Regards.

> The CVEs you refer to are very old and have been fixed a long time ago.
> 
> Please refer to:
> https://www.tenable.com/security/research/tra-2019-53
> 
> This report states that all the reported problems are fixed as of ELOG 3.1.4-283534d or later.
> 
> Note that the elog git history does not refer to these CVEs because
> they were fixed before the CVE number was assigned, per "Disclosure Timeline"
> in the above document. The relevant commits are listed under "Additional References".
> 
> K.O.

> Ok, many many thanks!
> I will pass the info to my sysadmin.
> Best Regards.
> 
> > The CVEs you refer to are very old and have been fixed a long time ago.
> > 
> > Please refer to:
> > https://www.tenable.com/security/research/tra-2019-53
> > 
> > This report states that all the reported problems are fixed as of ELOG 3.1.4-283534d or later.
> > 
> > Note that the elog git history does not refer to these CVEs because
> > they were fixed before the CVE number was assigned, per "Disclosure Timeline"
> > in the above document. The relevant commits are listed under "Additional References".
> > 
> > K.O.

Am I wrong that the windows executable version on the site is dated 2018? 3.1.4-2?

> > > The CVEs you refer to are very old and have been fixed a long time ago.
> 
> Am I wrong that the windows executable version on the site is dated 2018? 3.1.4-2?

I confirm. Windows executables at https://elog.psi.ch/elog/download/windows/
and Debian packages at https://packages.debian.org/search?keywords=elog all
appear to be older than the cve fixes.

I trust Stefan is reading this thread and will do something about it. My vote would
be to remove the download link to the windows executables and ask Debian to remove
the elog package. I think they have a way for upstream developers (Stefan) to request
removal of unmaintained out-of-date insecure versions of their stuff. ROOT
was in the same situation years ago, the Debian package for ROOT was very old version,
also built incorrectly, and everybody complained to us that our stuff does
not work (midas, rootana, etc).

K.O.

> I trust Stefan is reading this thread and will do something about it. My vote would
> be to remove the download link to the windows executables and ask Debian to remove
> the elog package. I think they have a way for upstream developers (Stefan) to request
> removal of unmaintained out-of-date insecure versions of their stuff. ROOT
> was in the same situation years ago, the Debian package for ROOT was very old version,
> also built incorrectly, and everybody complained to us that our stuff does
> not work (midas, rootana, etc).

Yeah, I have to recompile the Windows version. Unfortunately my old Windows PC is gone, I
switched now completely to MacOSX and Linux. Probably have to borrow something from somewhere.
If anybody can compile the Windows version with the current source code I would be happy.

Stefan

> 
> Yeah, I have to recompile the Windows version. Unfortunately my old Windows PC is gone, I
> switched now completely to MacOSX and Linux. Probably have to borrow something from somewhere.
> If anybody can compile the Windows version with the current source code I would be happy.
> 
> Stefan

That would be most welcome!
I tried to recompile the windows version a while ago but didn't manage it.
I'm just a simple ELOG __user__ ^^
Looking forward to the new precompiled Windows version.

Thnx in advance!

daniel

> > I trust Stefan is reading this thread and will do something about it. My vote would
> > be to remove the download link to the windows executables and ask Debian to remove
> > the elog package. I think they have a way for upstream developers (Stefan) to request
> > removal of unmaintained out-of-date insecure versions of their stuff. ROOT
> > was in the same situation years ago, the Debian package for ROOT was very old version,
> > also built incorrectly, and everybody complained to us that our stuff does
> > not work (midas, rootana, etc).
> 
> Yeah, I have to recompile the Windows version. Unfortunately my old Windows PC is gone, I
> switched now completely to MacOSX and Linux. Probably have to borrow something from somewhere.
> If anybody can compile the Windows version with the current source code I would be happy.
> 
> Stefan

FWIW: you could cross-compile on Linux using 
   make CC=x86_64-w64-mingw32-gcc CFLAGS="-D_MSC_VER -DHAVE_VASPRintF -Imxml" LIBS="-Wl,--allow-multiple-definition -ladvapi32 -lwsock32 -lssl -lcrypto"
or so I thought... with build 3.1.4 - 395e101 I did manage, finally. 
However, with the latest git version everything seems to have been renamed to .cxx files (though it's still plain C ??!?!?) and my quick and dirty compile hack did not work. The binaries do work, I can start the server and access it via the web interface.

I've built the last C version of elog in git, revision 1ebfd06c using mingw-64 ; the resulting binaries work for me on Windows 2019.
Attached is a zip file with the binaries.
I was not able to create a new installer, these are just the executables

> I've built the last C version of elog in git, revision 1ebfd06c using mingw-64 ; the resulting binaries work for me on Windows 2019.
> Attached is a zip file with the binaries.
> I was not able to create a new installer, these are just the executables

I tried to just exchange the attached binaries in my installation but this didn't worked.
elogd was not able to start.

Regards,

daniel

> > I've built the last C version of elog in git, revision 1ebfd06c using mingw-64 ; the resulting binaries work for me on Windows 2019.
> > Attached is a zip file with the binaries.
> > I was not able to create a new installer, these are just the executables
> 
> I tried to just exchange the attached binaries in my installation but this didn't worked.
> elogd was not able to start.

hmmm strange - did you get an error message or did the binary simply not start?  I've only tested this on a single Windows machine....

> > > I've built the last C version of elog in git, revision 1ebfd06c using mingw-64 ; the resulting binaries work for me on Windows 2019.
> > > Attached is a zip file with the binaries.
> > > I was not able to create a new installer, these are just the executables
> > 
> > I tried to just exchange the attached binaries in my installation but this didn't worked.
> > elogd was not able to start.
> 
> hmmm strange - did you get an error message or did the binary simply not start?  I've only tested this on a single Windows machine....

Error message is:

Error 1053: The service did not respond to the start or control request in a timely fashion.

I have to admit that I'm doing all this on a Server 2012 machine.

> > > > I've built the last C version of elog in git, revision 1ebfd06c using mingw-64 ; the resulting binaries work for me on Windows 2019.
> > > > Attached is a zip file with the binaries.
> > > > I was not able to create a new installer, these are just the executables
> > > 
> > > I tried to just exchange the attached binaries in my installation but this didn't worked.
> > > elogd was not able to start.
> > 
> > hmmm strange - did you get an error message or did the binary simply not start?  I've only tested this on a single Windows machine....
> 
> Error message is:
> 
> Error 1053: The service did not respond to the start or control request in a timely fashion.
> 
> I have to admit that I'm doing all this on a Server 2012 machine.


Windows Server 2012 itself is almost EOL but it should still work, I believe.  I did see that the elog314-2.exe file is a Win32 binary whereas my binaries are 64bit. On Windows Server 2019 did not cause any issues.
Can you try the following
- extract the new elogd.exe binary somewhere , e.g. c:\temp\elogd.exe
- then type
  cd \Program Files (x86)\ELOG
  \temp\elogd.exe

- post the output/error code that you see.


  

> > I trust Stefan is reading this thread and will do something about it. My vote would
> > be to remove the download link to the windows executables and ask Debian to remove
> > the elog package. I think they have a way for upstream developers (Stefan) to request
> > removal of unmaintained out-of-date insecure versions of their stuff. ROOT
> > was in the same situation years ago, the Debian package for ROOT was very old version,
> > also built incorrectly, and everybody complained to us that our stuff does
> > not work (midas, rootana, etc).
> 
> Yeah, I have to recompile the Windows version. Unfortunately my old Windows PC is gone, I
> switched now completely to MacOSX and Linux. Probably have to borrow something from somewhere.
> If anybody can compile the Windows version with the current source code I would be happy.
> 
> Stefan

Hi Stefan,

I don't find any howto to build elog under windows, so i tried to compile elog-latest sources with cygwin (packages gcc + openssl-devel + openldap-devel + make). 
It builds, i could start elogd.exe and connect to localhost:8080 ! 
I generate a zip with cygwin dll needed to launch elogd and tools. I think they could be enclosed (maybe the cygwin licence file have to be added ?).

Btw it should be possible to crossbuild it under Mac or Linux. The problem is to test it ;-). On Mac, you can use UTM to create a Windows VM to do the work.

Bye
Laurent

> > I trust Stefan is reading this thread and will do something about it. My vote would
> > be to remove the download link to the windows executables and ask Debian to remove
> > the elog package. I think they have a way for upstream developers (Stefan) to request
> > removal of unmaintained out-of-date insecure versions of their stuff. ROOT
> > was in the same situation years ago, the Debian package for ROOT was very old version,
> > also built incorrectly, and everybody complained to us that our stuff does
> > not work (midas, rootana, etc).
> 
> Yeah, I have to recompile the Windows version. Unfortunately my old Windows PC is gone, I
> switched now completely to MacOSX and Linux. Probably have to borrow something from somewhere.
> If anybody can compile the Windows version with the current source code I would be happy.

it would be good if the current state was listed in https://elog.psi.ch/elogs/Vulnerabilities/ 
It seems there's now updated builds for at least windows, and the debian package still outdated?

Personally, I don't think removing download links and pulling packages should be more than a temporary measure.
Treating people fairly IMHO means they should be able to reach a safe version by the same means that brought and left them exposed.

A clear central source would be best, one that has 

- package autobuilds
- source
- cve list

If I understand correctly, currently only the source is up to date?


(I found py_elog on Github, so it could be an easy option to mirror ELOG there and let some free service handle the autobuilds.
I don't know how well one can flag vulnerabilities there, but likely it's possible, and ideally more people would help there.)


p.s.: My hat is off to the sysadmin who checked carefully, I wanted to introduce ELOG in a windows-centric place and I can't swear I would have checked this (official) download as well.

> it would be good if the current state was listed in https://elog.psi.ch/elogs/Vulnerabilities/
> It seems there's now updated builds for at least windows

I checked with Stefan and he plans to address both of those fairly soon.

> debian package still outdated?

We reached to the package maintainer (who is not us), if he cannot help,
we will request package removal through debian official channels. Then we have
to repeat same for the ubuntu package.

> A clear central source would be best ...

this already exists. git clone, make, run.

> p.s.: My hat is off to the sysadmin who checked carefully, I wanted to introduce ELOG in a windows-centric place and I can't swear I 
would have checked this (official) download as well.

I usually check the date of stuff I install and go "hmm..." if it is not super fresh or very fresh.

K.O.

> > debian package still outdated?
> We reached to the package maintainer

the good Roger Kalt requested removal of debian package elog
and it is now removed from debian-unstable. I am not sure
if it can be removed from debian-stable releases (debian-11, debian-10).

https://tracker.debian.org/pkg/elog
https://tracker.debian.org/news/1320035/removed-313-1-1-from-unstable/

K.O.

> > > debian package still outdated?
> removed from debian-unstable
> https://tracker.debian.org/pkg/elog
> https://tracker.debian.org/news/1320035/removed-313-1-1-from-unstable/

contacted security@debian.org and they requested removal from the next buster/bullseye point releases:

https://bugs.debian.org/1010196
https://bugs.debian.org/1010197

next is to request removal of ubuntu package.

K.O.

> > > > debian package still outdated?

the freebsd elog package was removed back in 2014 during
a purge of "not staged" packages. Originally submitted
in 2006, went through at least two maintainers.

https://www.freshports.org/www/elog/

K.O.

> next is to request removal of ubuntu package.

contacted ubuntu security team, got very quick response.

they noted our request and informed us that ubuntu cannot remove packages from existing releases.

https://bugs.launchpad.net/ubuntu/+source/elog/+bug/1970480

K.O.

 
> it would be good if the current state was listed in https://elog.psi.ch/elogs/Vulnerabilities/ 
> It seems there's now updated builds for at least windows, and the debian package still outdated?
> 
> Personally, I don't think removing download links and pulling packages should be more than a temporary measure.
> Treating people fairly IMHO means they should be able to reach a safe version by the same means that brought and left them exposed.
> 
> A clear central source would be best, one that has 
> 
> - package autobuilds
> - source
> - cve list
> 
> If I understand correctly, currently only the source is up to date?
> 
> 
> (I found py_elog on Github, so it could be an easy option to mirror ELOG there and let some free service handle the autobuilds.
> I don't know how well one can flag vulnerabilities there, but likely it's possible, and ideally more people would help there.)
> 
> 
> p.s.: My hat is off to the sysadmin who checked carefully, I wanted to introduce ELOG in a windows-centric place and I can't swear I would have checked this (official) download as well.

Very good ideas! Go ahead and implement them! We very much appreciate your contribution.

> The CVEs you refer to are very old and have been fixed a long time ago.
> 
> Please refer to:
> https://www.tenable.com/security/research/tra-2019-53
> 
> This report states that all the reported problems are fixed as of ELOG 3.1.4-283534d or later.
> 
> Note that the elog git history does not refer to these CVEs because
> they were fixed before the CVE number was assigned, per "Disclosure Timeline"
> in the above document. The relevant commits are listed under "Additional References".
> 
> K.O.

I should better capture these "additional references" and the "disclosure timeline"
before they vanish from tenable.com:
https://www.tenable.com/security/research/tra-2019-53

Additional References
https://bitbucket.org/ritt/elog/commits/7367647d40d9b43d529d952d3a063d53606697cb
https://bitbucket.org/ritt/elog/commits/38c08aceda8e5ac4bfdcc040710b5792bd5fe4d3
https://bitbucket.org/ritt/elog/commits/32ba07e19241e0bcc68aaa640833424fb3001956
https://bitbucket.org/ritt/elog/commits/15787c1edec1bbe1034b5327a9d6efa710db480b
https://bitbucket.org/ritt/elog/commits/283534d97d5a181b09960ae1f0c53dbbe42d8a90

Disclosure Timeline
12/3/2019 - Notice sent to stefan.ritt - AT - psi.ch. 90 day is March 3, 2020
12/4/2019 - Dr. Ritt acknowledges the report.
12/9/2019 - Dr. Ritt stages fixes in bitbucket.
12/9/2019 - Tenable provides feedback.
12/10/2019 - Dr. Ritt acknowledges.
12/11/2019 - Tenable reserves CVE.
12/11/2019 - Tenable notes the various ELOG instances maintained by Paul Scherrer Institute are patched.
12/11/2019 - Tenable informs Dr. Ritt and Mr. Roger Kalt (Debian/Ubuntu package manager) of intent to publish CVE tomorrow (Dec. 
12).

K.O.