As a feature request / bonus to this conversation, has any investigation been done into adding create fifo ability to the pipe source driver. Im sure that everyone could benefit from pipes that are created and torn down by syslog-ng so that unless syslog-ng is holding the pipe open and holding ownership of the pipe the pipe does not exist. This would be an extra added bonus on the security front. Its an ok fix to have the pipe created by the startup script and even torn down by that same script, however if for some reason syslog-ng crashes or an administrator thinks it's a good idea to just kill off the process that pipe hangs around and is a potential security risk. Its just an idea. Maybe someone can run with it. William Bell II CWIE Security -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Evan Rempel Sent: Wednesday, March 22, 2006 10:21 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Creating a named pipe (FIFO) We do the opposite. We wanted to use the message matching rules of syslog-ng to essentially rewrite the facility.level (priority) of messages and then log them again. To accomplish this, we have a "normal" syslog-ng running that listens on the localhost:514 port that then logs to the local files, and to a central syslog-ng server. We then start a second instance of syslog-ng within the startup script for the applications, such as apache. - check for and create the named pipe(s) - start syslong-ng specific to this application - start the application that logs to the named pipe(s) This instance of syslog-ng parses the messages and relogs via syslog to localhost with a new set of priorities. This allows local syslog files to contain the appriopriate facitliy.level of messages as well as our central syslog-ng server. It also allows for a very complicated set of match rules for a given application without making an overly complicated syslong-ng configuration file. Basically you end up with one configuration file per application. This is just our syslog architecture, so your milage may vary. Evan. On Wed, 22 Mar 2006, Cary, Kim wrote:
Date: Wed, 22 Mar 2006 09:11:26 -0800 From: "Cary, Kim" <Kim.Cary@pepperdine.edu> Reply-To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Creating a named pipe (FIFO)
We create our pipes by placing the appropriate commands in the syslog-ng startup file (/etc/init.d/syslog-ng).
[Actually, we test to see if the pipe already exists; if not, we create it. We do this creation in /var/run and here the pipe needs to be recreated after every boot. We don't want to recreate it when we restart the process (syslog-ng) that is feeding it, since recreating it requires us to bounce the process that is reading from it (fisq.pl)].
Kim Cary Infrastructure Security Administrator M-F 7-4 ~ 310 506 6655
-- Evan Rempel erempel@uvic.ca Senior Programmer Analyst 250.721.7691 Computing Services University of Victoria _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html