logging to a named pipe?
Hi - I would like to use syslog-ng to log priority info kernel messages to a named pipe, and I seem to have an issue with defining a correct filter. This config works: destination psadpipe { pipe("/var/lib/psad/psadfifo"); }; filter f_kerninfo { level(info); }; log { source(src); filter(f_kerninfo); destination(psadpipe); }; We can see that it works because syslog-ng has opened the named pipe under the output of lsof: # lsof |grep psadfifo syslog-ng 22675 root 8u FIFO 3,3 699187 /var/lib/psad/psadfifo However, the above config should really use the filter: filter f_kerninfo { facility(kern) and level(info); }; But, the addition of the kern facility in the filter seems to cause syslog-ng to not open the named pipe (lsof returns nothing). Not being intimately familiar with syslog-ng, can anyone give me any pointers? I'm running syslog-ng 1.6.4 on Gentoo Linux. Thanks, --Mike Michael Rash http://www.cipherdyne.org/ Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
Michael Rash <mbr@cipherdyne.org> - Wed, Sep 01, 2004:
I would like to use syslog-ng to log priority info kernel messages to a named pipe, and I seem to have an issue with defining a correct filter. But, the addition of the kern facility in the filter seems to cause syslog-ng to not open the named pipe (lsof returns nothing).
Where are your kernel messages coming from? Do they really have the "kern" facility? -- Loïc Minier <lool@dooz.org>
On Sep 02, 2004, Loic Minier wrote:
Michael Rash <mbr@cipherdyne.org> - Wed, Sep 01, 2004:
I would like to use syslog-ng to log priority info kernel messages to a named pipe, and I seem to have an issue with defining a correct filter. But, the addition of the kern facility in the filter seems to cause syslog-ng to not open the named pipe (lsof returns nothing).
Where are your kernel messages coming from? Do they really have the "kern" facility?
Well, I think that kernel message do come from the kern facility (is this configurable?). The strange thing is that using either of the following two filters works perfectly: filter f_kerninfo { facility(kern); }; or filter f_kerninfo { level(info); }; But, when I combine the filters with an "and" like: filter f_kerninfo { facility(kern) and level(info); }; syslog-ng seems to not be able to open the named pipe. Why does the "and" condition matter? The syslog-ng reference manual seems to indicate that it should support this. --Mike Michael Rash http://www.cipherdyne.org/ Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
On Thu, 2004-09-02 at 04:49, Michael Rash wrote:
Hi -
I would like to use syslog-ng to log priority info kernel messages to a named pipe, and I seem to have an issue with defining a correct filter.
This config works:
destination psadpipe { pipe("/var/lib/psad/psadfifo"); }; filter f_kerninfo { level(info); }; log { source(src); filter(f_kerninfo); destination(psadpipe); };
We can see that it works because syslog-ng has opened the named pipe under the output of lsof:
# lsof |grep psadfifo syslog-ng 22675 root 8u FIFO 3,3 699187 /var/lib/psad/psadfifo
However, the above config should really use the filter:
filter f_kerninfo { facility(kern) and level(info); };
But, the addition of the kern facility in the filter seems to cause syslog-ng to not open the named pipe (lsof returns nothing).
The file is opened only when the first message hits the destination. So you'll need to generate a real kernel message and then will syslog-ng open its destination.
Not being intimately familiar with syslog-ng, can anyone give me any pointers? I'm running syslog-ng 1.6.4 on Gentoo Linux.
Thanks,
--Mike
Michael Rash http://www.cipherdyne.org/ Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- Bazsi
participants (3)
-
Balazs Scheidler
-
Loic Minier
-
Michael Rash