Aw crap. Forget all this. I looked at it again, and anyone would be able to DoS sec.pl using logger. ::sigh:: It looks like signal propagation from syslog-ng to sec.pl is the right way of doing this. -- "Computer science is as much about computers as astronomy is about telescopes" -- Edsger Dijkstra --------------------------------------------------------- Anthony Tonns, UNIX Administrator - atonns@mail.ivillage.com

-----Original Message----- From: atonns@mail.ivillage.com [mailto:atonns@mail.ivillage.com] Sent: Thursday, April 29, 2004 12:13 PM To: syslog-ng@lists.balabit.hu Subject: RE: [syslog-ng]cannot get sec.pl to exit after syslog-ng does

After a night of sleeping on it, I came up with a alternate solution - have SEC detect restarts of syslog-ng. Below is the result. The only fuzzy part is in the sec-cleanup.pl script below - what to do if you don't get a TERM signal from sec.pl. I don't think using "logger" is the best idea since things are restarting, etc. etc. I _guess_ it could send email out. In reality, it's all up to the end user.

### syslog-ng.conf ###

source s_src { sun-stream("/dev/log" door("/etc/.syslog_door")); tcp(max-connections(1024)); udp(); internal(); };

destination d_sec { program("/usr/local/sbin/sec.pl -intevents -input=\"-\" -conf=/usr/local/etc/sec.conf"); };

log { source(s_src); destination(d_sec); };

### sec.conf ###

type=Single continue=TakeNext ptype=RegExp pattern=syslog-ng version .+ going down desc=syslog-ng shutdown action= shellcmd /usr/local/sbin/sec-cleanup.pl

type=Single continue=TakeNext ptype=RegExp pattern=SIGHUP received, restarting syslog-ng desc=syslog-ng restart action= shellcmd /usr/local/sbin/sec-cleanup.pl

### sec-cleanup.pl ###

#!/usr/local/bin/perl -w # # sec-cleanup.pl # # ATonns Thu Apr 29 11:42:10 EDT 2004 # # $Id$ #

use strict; my $PROGNAME="sec-cleanup.pl"; my $waittime = 10; # in seconds

## CODE ##

my $pid = $$; my $ppid = getppid; $SIG{'TERM'} = sub { print STDOUT localtime(time) . " ${PROGNAME}\[$pid\]: got TERM signal, exiting gracefully.\n"; exit(0); }; print STDOUT localtime(time) . " ${PROGNAME}\[$pid\]: killing parent $ppid\n"; kill('TERM',$ppid); sleep($waittime); print STDOUT localtime(time) . " ${PROGNAME}\[$pid\]: not good - timed out waiting for TERM signal. Exiting.\n"; exit(1);

-- "Computer science is as much about computers as astronomy is about telescopes" -- Edsger Dijkstra --------------------------------------------------------- Anthony Tonns, UNIX Administrator - atonns@mail.ivillage.com iVillage Inc., 500 Seventh Avenue, New York, NY 10018 - iVillage Inc. is a leading women's media company that includes iVillage.com, Women.com, gURL.com, Astrology.com, Promotions.com, iVillage Parenting Network, The Newborn Channel, Lamaze Publishing, Business Women's Network, Diversity Best Practices, Best Practices in Corporate Communications, and iVillage Consulting. The information contained in this communication may be confidential, is intended only for the use of the recipient named above, and may be construed under applicable law to be a commercial email. If you have received this communication in error, please delete this message from your computer system. If you are the recipient named above and do not wish to receive any future commercial emails, please reply to the sender with a message stating such preference. _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

iVillage Inc., 500 Seventh Avenue, New York, NY 10018 - iVillage Inc. is a leading women's media company that includes iVillage.com, Women.com, gURL.com, Astrology.com, Promotions.com, iVillage Parenting Network, The Newborn Channel, Lamaze Publishing, Business Women's Network, Diversity Best Practices, Best Practices in Corporate Communications, and iVillage Consulting. The information contained in this communication may be confidential, is intended only for the use of the recipient named above, and may be construed under applicable law to be a commercial email. If you have received this communication in error, please delete this message from your computer system. If you are the recipient named above and do not wish to receive any future commercial emails, please reply to the sender with a message stating such preference.