On Sun, Mar 02, 2003 at 07:20:29AM +1300, Harry Hoffman wrote:
Hmmm, that quite interesting as all of these strange directories are created from Solaris hosts running sun's syslogd. Are you seeing the same thing? I don't see this behaviour on the Linux machines, but I do - very rarely - see it on the NT/2k/XP machines running NT- syslog.
Solaris syslogd (and SVR4 in general I think) sends syslog messages across the network sans hostname, but everything else intact[1]. Under some unknown circumstances syslog-ng doesn't rewrite the hostname as it is supposed to, as evidenced by your directories with names like SCSI, etc. Since it only happens over UDP (for me anyways), that might be a clue for someone inspecting the code. I'd say roll out syslog-ng to all your solaris hosts. I'm certainly glad I did[2]. 1. Notes on syslog formats: http://cert.uni-stuttgart.de/archive/loganalysis/2002/01/msg00021.html 2. My notes on replacing solaris syslogd (2.6 - 2.9) with syslog-ng: Compile syslog-ng on a 2.6 box and push it out to all same and newer releases, binary compatibility handles it fine. 2.6-2.8 modify /usr/lib/newsyslog to 'kill -HUP `cat /var/run/syslog-ng.pid`' instead of (IIRC) /etc/syslog.pid, and for sol9 do the same to the lines in /etc/logadm.conf (s|/var/run/syslog.pid|/var/run/syslog-ng.pid|). Remove any loghost lines from /etc/syslog.conf in case some intruder is too stupid to notice you're not running syslogd. You could use lance spitzners tricks to hide your syslog-ng.conf if you're really paranoid, search the web if you're interested. Modify /etc/init.d/syslog (/etc/rc2.d/S74syslog) to start syslog-ng instead of syslogd, and you should also add a "reload" line that just does the 'kill -HUP `cat /var/run/syslog-ng.pid`' I think that's all of it, it's not really very complicated, you just needs some automated way of doing it on all hosts reliably. I use cfengine to ensure all my hosts are setup properly. -- Nate Campi http://www.campin.net