Hi Gabor,

Thanks for the hint. It was really due to Linux capabilities.

When running by default syslog-ng has the following capabilities:
root@debian10st:/home/thanos# ps -ewfH | grep syslog
message+   410     1  0 Oct27 ?        00:00:28   /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
root      5185  2168  0 16:07 pts/0    00:00:00               grep syslog
root      5178  4138  0 16:06 pts/1    00:00:00               /usr/sbin/syslog-ng -Fvde --cfgfile=/home/thanos/syslog-ng.2.conf
root@debian10st:/home/thanos# getpcaps 5178
Capabilities for `5178': = cap_syslog+ep cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_net_bind_service,cap_net_broadcast,cap_net_raw+p

By changing capability of discretionary access control to also be effective, I was able to broadcast the log messages using usertty(*)

usr/sbin/syslog-ng -Fvde --cfgfile=/home/thanos/syslog-ng.2.conf --caps "cap_net_bind_service,cap_net_broadcast,cap_net_raw,cap_dac_read_search,cap_chown,cap_fowner=p cap_dac_override,cap_syslog=ep"

root@debian10st:/home/thanos# getpcaps $(pgrep syslog-ng)
Capabilities for `5471': = cap_dac_override,cap_syslog+ep cap_chown,cap_dac_read_search,cap_fowner,cap_net_bind_service,cap_net_broadcast,cap_net_raw+p

Cheers,
Alex

On Wed, Nov 4, 2020 at 9:25 AM Gabor Nagy (gnagy) <Gabor.Nagy@oneidentity.com> wrote:
Hi Alex!

When syslog-ng is running as root and you see permission access problems, it's most likely due to Linux capabilities [1].
Even running as root, syslog-ng is dropping most of it's capabilities, unless they are configured with the --caps command line option.

The easiest solution is if you don't need Linux capabilities is to use the "--no-caps" command line option of syslog-ng (put it into syslog-ng's service file for permanent setup).
If you would like to use Linux capabilities and tune syslog-ng to use the necessary capabilities I recommend one of our blog posts as a starting point:
https://www.syslog-ng.com/community/b/blog/posts/working-around-linux-capabilities-problems-for-syslog-ng

I'll add some error messages to usertty() driver to detect future issues.

[1] https://man7.org/linux/man-pages/man7/capabilities.7.html

Regards,
Gabor
From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Alexandre Santos <alexandre.rosas.santos@gmail.com>
Sent: Monday, November 2, 2020 17:21
To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
Subject: Re: [syslog-ng] Using usertty
 
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hi Gabor,

Do you have some news regarding this issue?
Another update from my side, is that if I login as root in serial console, I am able to get the notifications:

[pid  4155] openat(AT_FDCWD, "/dev/ttyS0", O_WRONLY|O_NOCTTY|O_APPEND|O_NONBLOCK) = 18</dev/ttyS0<char 4:64>>
[pid  4155] write(18</dev/ttyS0<char 4:64>>, "2020 Nov  2 16:14:35 debian10st Entry local0.crit 2020-11-02T16:14:35,489343700+00:00\n", 86) = 86
[pid  4155] close(18</dev/ttyS0<char 4:64>>) = 0

root@debian10st:/home/thanos#  w thanos
 16:19:50 up 6 days, 24 min,  4 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
thanos   pts/0    10.0.2.2         26Oct20  6:14   0.07s  1.85s sshd: thanos [priv]
thanos   pts/1    10.0.2.2         26Oct20  6:37   0.12s  1.87s sshd: thanos [priv]
thanos   pts/2    10.0.2.2         26Oct20  0.00s  0.05s  1.93s sshd: thanos [priv]
root@debian10st:/home/thanos# w root
 16:20:15 up 6 days, 24 min,  4 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     ttyS0    -                16:14   13.00s  0.01s  0.01s -bash

Any help appreciated.
Thanks,
Alex


On Wed, Oct 28, 2020 at 5:24 PM Alexandre Santos <alexandre.rosas.santos@gmail.com> wrote:
Hi Gabor,

Thanks for your help, testing with echo "test" is working fine (check bellow), but with usertty, I still have the same problem.

Furthermore, I tried strace and saw the following:
[pid  2177] rt_sigaction(SIGALRM, {sa_handler=0x7fa889b23e10, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fa889541840}, NULL, 8) = 0
[pid  2177] write(2</dev/pts/1<char 136:1>>, "[2020-10-28T17:15:36.178232] Posting message to user terminal; user='thanos', line='/dev/ttyS0'\n", 96) = 96
[pid  2177] openat(AT_FDCWD, "/dev/ttyS0", O_WRONLY|O_NOCTTY|O_APPEND|O_NONBLOCK) = -1 EACCES (Permission denied)

Do you know why? I am launching syslog-ng as root. (full strace in attachment)

Regards,
Alex

thanos@debian10st:~$ echo test > /dev/ttyS0
test

root@debian10st:/home/thanos# who am i
thanos   pts/1        2020-10-26 20:21 (10.0.2.2)
root@debian10st:/home/thanos# echo "test1" > /dev/pts/1
test1
root@debian10st:/home/thanos#

thanos@debian10st:~$ who am i
thanos   pts/0        2020-10-26 20:21 (10.0.2.2)
thanos@debian10st:~$ echo "test0" > /dev/pts/0
test0
thanos@debian10st:~$

root@debian10st:/home/thanos# who am i
thanos   pts/2        2020-10-26 20:26 (10.0.2.2)
root@debian10st:/home/thanos# echo "test2" > /dev/pts/2
test2

On Wed, Oct 28, 2020 at 3:33 PM Gabor Nagy (gnagy) <Gabor.Nagy@oneidentity.com> wrote:
Thanks for the info!

It looks good, messages should be seen on ssh and on serial console too.
Can you try out if you can write in the /dev/ttyS0 file (and/or the ssh login console, in your example /dev/pts/1) with a simple "echo test" command and see if it appears on the console, please?
From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Alexandre Santos <alexandre.rosas.santos@gmail.com>
Sent: Tuesday, October 27, 2020 10:20
To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
Subject: Re: [syslog-ng] Using usertty
 
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hi Gabor,

I am running a Debian buster in a VBox guest.

Can you check which terminals are the user 'thanos' logged in?
root@debian10st:/home/thanos# w thanos
 09:15:47 up 22:00,  4 users,  load average: 0.00, 0.02, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
thanos   ttyS0    -                Mon20    8:27   0.05s  0.04s -bash
thanos   pts/0    10.0.2.2         Mon20   12:54m  0.03s  0.03s -bash
thanos   pts/1    10.0.2.2         Mon20   12:50m  0.12s  0.18s sshd: thanos [priv]
thanos   pts/2    10.0.2.2         Mon20    1.00s  0.04s  0.20s sshd: thanos [priv]

Here are the serial configurations:
root@debian10st:/home/thanos# stty -F /dev/ttyS0 -a
speed 9600 baud; rows 24; columns 80; line = 0;
intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>; eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = <undef>;
discard = <undef>; min = 1; time = 0;
-parenb -parodd -cmspar cs8 hupcl -cstopb cread clocal -crtscts
-ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr -icrnl ixon ixoff -iuclc -ixany -imaxbel iutf8
opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
isig -icanon -iexten -echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke -flusho -extproc

root@debian10st:/home/thanos# stty -F /dev/pts/0 -a
speed 38400 baud; rows 50; columns 184; line = 0;
intr = ^C; quit = ^\; erase = ^H; kill = ^U; eof = ^D; eol = <undef>; eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = <undef>;
discard = <undef>; min = 1; time = 0;
-parenb -parodd -cmspar cs8 -hupcl -cstopb cread -clocal -crtscts
-ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr -icrnl ixon -ixoff -iuclc ixany -imaxbel iutf8
opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
isig -icanon iexten -echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke -flusho -extproc

root@debian10st:/home/thanos# stty -F /dev/pts/1 -a
speed 38400 baud; rows 50; columns 184; line = 0;
intr = ^C; quit = ^\; erase = ^H; kill = ^U; eof = ^D; eol = <undef>; eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = ^V;
discard = ^O; min = 1; time = 0;
-parenb -parodd -cmspar cs8 -hupcl -cstopb cread -clocal -crtscts
-ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl ixon -ixoff -iuclc ixany -imaxbel iutf8
opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
isig icanon iexten echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke -flusho -extproc

root@debian10st:/home/thanos# stty -F /dev/pts/2 -a
speed 38400 baud; rows 50; columns 184; line = 0;
intr = ^C; quit = ^\; erase = ^H; kill = ^U; eof = ^D; eol = <undef>; eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = ^V;
discard = ^O; min = 1; time = 0;
-parenb -parodd -cmspar cs8 -hupcl -cstopb cread -clocal -crtscts
-ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl ixon -ixoff -iuclc ixany -imaxbel iutf8
opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
isig icanon iexten echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke -flusho -extproc

Thanks,
Alex

On Mon, Oct 26, 2020 at 10:59 AM Gabor Nagy (gnagy) <Gabor.Nagy@oneidentity.com> wrote:
Hi Alex!

I've checked your attachments and I see that the messages are sent to pseudo-terminals and the serial port too:
[2020-10-23T16:40:20.647481] Posting message to user terminal; user='thanos', line='/dev/ttyS0'
[2020-10-23T16:40:20.647518] Posting message to user terminal; user='thanos', line='/dev/pts/0'
[2020-10-23T16:40:20.647530] Posting message to user terminal; user='thanos', line='/dev/pts/1'
[2020-10-23T16:40:20.647541] Posting message to user terminal; user='thanos', line='/dev/pts/2'

Can you check which terminals are the user 'thanos' logged in?
E.g. use the following command on the command line:
$w thanos

If you don't see a tty with ssh login, that can explain it.

About the serial port, maybe it's misconfigured.
Syslog-ng uses simple open/write calls on the device files , e.g. /dev/ttyS0. Can you try out if you can write in the /dev/ttyS0 file with a simple "echo test" command, please?
Can you tell us a bit more about your host and how did you set up the serial port?

Regards,
Gabor
From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Alexandre Santos <alexandre.rosas.santos@gmail.com>
Sent: Friday, October 23, 2020 17:46
To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
Subject: [syslog-ng] Using usertty
 
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hi,
I am trying to use usertty(*) to send log all messages with severity equal or higher than critical to every user logged.

But I am not getting any messages in serial port or ssh.

I am sending the configurations and the debug log in attachment.

Can you help me to understand what is happening?

Thanks in advance,
Alex
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq