On Thu, 2011-02-17 at 16:02 +0100, Valentijn Sessink wrote:
Hello list,
As most of the functionality of "sshguard", "fail2ban" and others is in syslog-ng, I'm trying to use syslog-ng to add entries to my Linux kernel based firewall (iptables).
I'm almost ready to implement one, but I have a question about undeliverable log lines: what happens if a certain file() destination blocks? Will syslog-ng retry to deliver the same message, or will it lose the message?
What I'm doing is using the "ipt_recent" module; with this module, one can check if a certain IP address was seen before. For example, the following rule will block you if you were seen 5 or more times ("hitcount 5") in the "violators" list last minute ("seconds 60):
iptables -A INPUT -m recent \ --rcheck --hitcount 5 --seconds 60 --name violators -j DROP
The fun part is, that you can add IP adresses by stuffing them into a file in /proc: echo '+127.0.0.1' > /proc/net/xt_recent/violators ... will add 127.0.0.1 to the "violators" with the current time.
However: echo 'whatever' > /proc/net/xt_recent/violators ... gives an error: Invalid argument (22)
As far as I can see, syslog-ng will not try again to deliver the same message; but is this by design? I.e. can I trust syslog-ng to not "block" because of a single malformed IP address?
if a write error occurs, syslog-ng suspends the destination question for time_reopen() amount of time, then will try to write it again with the last unsuccessful write. which will probably cause the same error message to be returned... do you perhaps have a suggestion what we should do instead? bear in mind that we have to handle ENOSPC (=disk full) errors properly. -- Bazsi