On Sat, 2011-02-12 at 22:56 +0000, Alexander Clouter wrote:
Gergely Nagy <algernon@balabit.hu> wrote:
[snipped sendmail approach]
Yes, that's a possibility, indeed, but that assumes one has a sendmail command installed.
For those crazy enough to run syslog-ng on a non-sendmail environment, there are alternatives:
Sadly, that does not run on my router.
* Tighter integration with syslog-ng allows for easier troubleshooting: one only has to look at one place
It does not answer "where did my email alert go?" Did syslog eat it? Did the smarthost toast it? Was it lost further upstream?
Of course it does not make me able to troubleshoot issues beyond the box itself, but it does make it easier to see whether the message left the system at all, as I only have to look at syslog-ng's debug output, and don't have to hunt down wherever sendmail logged to.
* Safer: If $MSG happens to be multi-line, and one manages to craft a message with an embedded "\r\n.\r\n", we're in trouble. Similar things could be done to the headers aswell. Of course, that can be guarded against, but then the program destination becomes considerably different, and one would need a wrapper program. Or escaping template functions (which would be useful, if we don't have any yet..)
No need to guard against it, add support into syslog-ng to send EOF at the end of each message and you use that as your magic marker instead.
Well, consider a log message sent by a malicious client: "blahblah\r\n.\r\nmail from:<>\r\nrcpt to:<somewhere@example.com>\r\ndata\r\nblahblah\r\n.\r\n" As far as I remember, the syslog protocol (the new one) allows embeded newlines, so such messages should be accounted for, one way or the other.
That, and having the option to do it without an external program was one of the driving forces behind the code (I really, really don't like calling external programs, if I can avoid it).
Probably time to stop using UNIX :P
I only use unix to boot into emacs. I guess it shows. ;) -- |8]