SEC and syslog-ng - stop the SEC process
Hi, Not sure if I should ask this here or in the SEC forum... Does anyone know how to stop an sec process that's called from syslog-ng? i.e: when I issue an /etc/init.d/syslog-ng stop I still have the following running: root 28202 1 1 12:34 pts/1 00:00:00 /usr/bin/perl -w ... root 28207 28202 0 12:34 pts/1 00:00:00 sh -c /usr/bin/tail -F /tmp/sec.log ... root 28208 28207 0 12:34 pts/1 00:00:00 /usr/bin/tail -F /tmp/sec.log root 28209 28202 0 12:34 pts/1 00:00:00 sh -c /usr/bin/tail -F /tmp/sec_reactive.log... root 28210 28209 0 12:34 pts/1 00:00:00 /usr/bin/tail -F... Here's my syslog-ng config: destination d_sec { program("/www/svn/php-syslog-ng/scripts/sec/sec.pl -input=\"-\" -conf=/www/svn/php-syslog-ng/scripts/sec/001_proactive.conf -conf=/www/svn/php-syslog-ng/scripts/sec/002_reactive.conf -log=/var/log/php-syslog-ng/sec_run.log -intevents" template("$HOST\t$FACILITY\t$PRIORITY\t$LEVEL\t$TAG\t$YEAR-$MONTH-$DAY\t$HOUR:$MIN:$SEC\t$PROGRAM\t$MSG\n") ); }; # Tell syslog-ng to log to our new destination log { source(s_all); destination(d_sec); }; -- ______________________________________________________________ Clayton Dukes ______________________________________________________________
If you manually kill sec (or perl with pid 28202 in the output below) with pkill or kill, Syslog-ng will startup another to replace it, so you would need some sort of lockfile added to sec.pl for the perl script to bail out on early if you want to have Syslog-ng continue to run without sec. Syslog-ng will kill (or TERM, to be precise) all child processes when you send it a TERM signal, so it should clean up after itself. --Martin On Sun, Jul 12, 2009 at 11:41 AM, Clayton Dukes<cdukes@gmail.com> wrote:
Hi, Not sure if I should ask this here or in the SEC forum... Does anyone know how to stop an sec process that's called from syslog-ng?
i.e: when I issue an /etc/init.d/syslog-ng stop
I still have the following running: root 28202 1 1 12:34 pts/1 00:00:00 /usr/bin/perl -w ... root 28207 28202 0 12:34 pts/1 00:00:00 sh -c /usr/bin/tail -F /tmp/sec.log ... root 28208 28207 0 12:34 pts/1 00:00:00 /usr/bin/tail -F /tmp/sec.log root 28209 28202 0 12:34 pts/1 00:00:00 sh -c /usr/bin/tail -F /tmp/sec_reactive.log... root 28210 28209 0 12:34 pts/1 00:00:00 /usr/bin/tail -F...
Here's my syslog-ng config: destination d_sec { program("/www/svn/php-syslog-ng/scripts/sec/sec.pl -input=\"-\" -conf=/www/svn/php-syslog-ng/scripts/sec/001_proactive.conf -conf=/www/svn/php-syslog-ng/scripts/sec/002_reactive.conf -log=/var/log/php-syslog-ng/sec_run.log -intevents" template("$HOST\t$FACILITY\t$PRIORITY\t$LEVEL\t$TAG\t$YEAR-$MONTH-$DAY\t$HOUR:$MIN:$SEC\t$PROGRAM\t$MSG\n") ); }; # Tell syslog-ng to log to our new destination log { source(s_all); destination(d_sec); };
-- ______________________________________________________________
Clayton Dukes ______________________________________________________________ ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Nope, it's not cleaning up the child. (or am I doing something wrong?) so, to reiterate, when I stop syslog-ng I want it to stop the child sec proces(es). On Sun, Jul 12, 2009 at 1:11 PM, Martin Holste<mcholste@gmail.com> wrote:
If you manually kill sec (or perl with pid 28202 in the output below) with pkill or kill, Syslog-ng will startup another to replace it, so you would need some sort of lockfile added to sec.pl for the perl script to bail out on early if you want to have Syslog-ng continue to run without sec. Syslog-ng will kill (or TERM, to be precise) all child processes when you send it a TERM signal, so it should clean up after itself.
--Martin
On Sun, Jul 12, 2009 at 11:41 AM, Clayton Dukes<cdukes@gmail.com> wrote:
Hi, Not sure if I should ask this here or in the SEC forum... Does anyone know how to stop an sec process that's called from syslog-ng?
i.e: when I issue an /etc/init.d/syslog-ng stop
I still have the following running: root 28202 1 1 12:34 pts/1 00:00:00 /usr/bin/perl -w ... root 28207 28202 0 12:34 pts/1 00:00:00 sh -c /usr/bin/tail -F /tmp/sec.log ... root 28208 28207 0 12:34 pts/1 00:00:00 /usr/bin/tail -F /tmp/sec.log root 28209 28202 0 12:34 pts/1 00:00:00 sh -c /usr/bin/tail -F /tmp/sec_reactive.log... root 28210 28209 0 12:34 pts/1 00:00:00 /usr/bin/tail -F...
Here's my syslog-ng config: destination d_sec { program("/www/svn/php-syslog-ng/scripts/sec/sec.pl -input=\"-\" -conf=/www/svn/php-syslog-ng/scripts/sec/001_proactive.conf -conf=/www/svn/php-syslog-ng/scripts/sec/002_reactive.conf -log=/var/log/php-syslog-ng/sec_run.log -intevents" template("$HOST\t$FACILITY\t$PRIORITY\t$LEVEL\t$TAG\t$YEAR-$MONTH-$DAY\t$HOUR:$MIN:$SEC\t$PROGRAM\t$MSG\n") ); }; # Tell syslog-ng to log to our new destination log { source(s_all); destination(d_sec); };
-- ______________________________________________________________
Clayton Dukes ______________________________________________________________ ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- ______________________________________________________________ Clayton Dukes ______________________________________________________________
It looks to me like the term_handler sub is not getting invoked, or is failing to transmit the $terminate variable to the child procs. I've seen Perl have iffy results with TERM handlers before, so I guess this isn't too surprising. POE does really good job of handling those, but I've had bad luck with non-POE scripts handling TERM. Suggestions are welcome! --Martin On Sun, Jul 12, 2009 at 12:21 PM, Clayton Dukes<cdukes@gmail.com> wrote:
Nope, it's not cleaning up the child. (or am I doing something wrong?)
so, to reiterate, when I stop syslog-ng I want it to stop the child sec proces(es).
On Sun, Jul 12, 2009 at 1:11 PM, Martin Holste<mcholste@gmail.com> wrote:
If you manually kill sec (or perl with pid 28202 in the output below) with pkill or kill, Syslog-ng will startup another to replace it, so you would need some sort of lockfile added to sec.pl for the perl script to bail out on early if you want to have Syslog-ng continue to run without sec. Syslog-ng will kill (or TERM, to be precise) all child processes when you send it a TERM signal, so it should clean up after itself.
--Martin
On Sun, Jul 12, 2009 at 11:41 AM, Clayton Dukes<cdukes@gmail.com> wrote:
Hi, Not sure if I should ask this here or in the SEC forum... Does anyone know how to stop an sec process that's called from syslog-ng?
i.e: when I issue an /etc/init.d/syslog-ng stop
I still have the following running: root 28202 1 1 12:34 pts/1 00:00:00 /usr/bin/perl -w ... root 28207 28202 0 12:34 pts/1 00:00:00 sh -c /usr/bin/tail -F /tmp/sec.log ... root 28208 28207 0 12:34 pts/1 00:00:00 /usr/bin/tail -F /tmp/sec.log root 28209 28202 0 12:34 pts/1 00:00:00 sh -c /usr/bin/tail -F /tmp/sec_reactive.log... root 28210 28209 0 12:34 pts/1 00:00:00 /usr/bin/tail -F...
Here's my syslog-ng config: destination d_sec { program("/www/svn/php-syslog-ng/scripts/sec/sec.pl -input=\"-\" -conf=/www/svn/php-syslog-ng/scripts/sec/001_proactive.conf -conf=/www/svn/php-syslog-ng/scripts/sec/002_reactive.conf -log=/var/log/php-syslog-ng/sec_run.log -intevents" template("$HOST\t$FACILITY\t$PRIORITY\t$LEVEL\t$TAG\t$YEAR-$MONTH-$DAY\t$HOUR:$MIN:$SEC\t$PROGRAM\t$MSG\n") ); }; # Tell syslog-ng to log to our new destination log { source(s_all); destination(d_sec); };
-- ______________________________________________________________
Clayton Dukes ______________________________________________________________ ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- ______________________________________________________________
Clayton Dukes ______________________________________________________________
participants (2)
-
Clayton Dukes
-
Martin Holste