On Wed, 2005-02-02 at 11:35 -0500, Philip J. Hollenback wrote:
The syslog-ng reference manual (and the sample syslog-ng.conf for RedHat) indicate that /dev/log on linux is a stream socket. However, other utilities think that /dev/log is a datagram socket. To see this, configure syslog-ng to open /dev/log with unix_stream and then strace the logger command. logger tries to open /dev/log as a datagram socket first, fails, and then falls back to opening it as a stream socket:
socket(PF_FILE, SOCK_DGRAM, 0) = 1 fcntl64(1, F_SETFD, FD_CLOEXEC) = 0 connect(1, {sa_family=AF_FILE, path="/dev/log"}, 16) = -1 EPROTOTYPE (Protocol wrong type for socket) close(1) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 1 fcntl64(1, F_SETFD, FD_CLOEXEC) = 0 connect(1, {sa_family=AF_FILE, path="/dev/log"}, 16) = 0 send(1, "<13>Feb 2 11:19:50 phil: test m"..., 39, 0) = 39 rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0 close(1) = 0
If, however, you open /dev/log with unix_dgram and then run logger, it's happier:
socket(PF_FILE, SOCK_DGRAM, 0) = 1 fcntl64(1, F_SETFD, FD_CLOEXEC) = 0 connect(1, {sa_family=AF_FILE, path="/dev/log"}, 16) = 0 send(1, "<13>Feb 2 11:21:28 phil: test m"..., 45, 0) = 45 rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0 close(1) = 0
This is normal, both logger and libc tries to detect which socket is being used for /dev/log. It tries SOCK_DGRAM first, but that's all.
This indicates to me that the syslog-ng documentation and sample syslog-ng.conf files should be changed to show you should open /dev/log with unix_dgram on linux, not with unix_stream.
This is with the 2.4.22 kernel, maybe this is something that changed at some point?
I think it was around 1999 when /dev/log was changed from SOCK_STREAM to SOCK_DGRAM because of some security issue, but I still think it is better to use SOCK_STREAM Here is my post from 1999 when the change occurred: http://www.security-express.com/archives/bugtraq/1999-q4/0071.html and problems which the change caused: http://marc.theaimsgroup.com/?l=sysklogd&m=96989685607952&w=2 So I still think it is better to use SOCK_STREAM for /dev/log, albeit you can decide it yourself. -- Bazsi