RE: [syslog-ng]iptables & syslog-ng
Hi Michael That did indeed fix the problem, are you running 1.5.9? Now I have to write rules for two src's which could cause more overhead, so I would like to know if this is a bug of some sort, or normal behavior. Thanks for your help, this really works well. Best regards, Daniel -----Original Message----- From: Michael Renner [mailto:robe@amd.co.at] Sent: Tuesday, August 28, 2001 4:10 PM To: 'syslog-ng@lists.balabit.hu' Subject: Re: [syslog-ng]iptables & syslog-ng On Tue, 28 Aug 2001, Nijs, Daniel wrote:
Hello,
I just set up an iptables based firewall on my syslog-ng host machine (redhat 7.1), but ran into a small problem. When I run syslogd+klogd, I can see iptables generating the logfiles. When I disable the standard syslog daemon, and run syslog-ng+klogd, I do not see the data I am looking for, it is almost like iptables isn't logging at all, but it has to, since it works with the normal syslogd. I setup a generic rule, and a fallback, so everything should work. When using the "logger" tool, and generating a fake entry, everything seems ok, so I assume this is an issue between kernel logging and syslog-ng. I am running 1.5.9 (not the official release). Any help would be appreciated. Thanks
Hi Daniel! It sounds like you have problems with your kernel-logs... do you receive any kernel messages at all? i dumped klogd at all and using the following syslog-ng-directive as source for my kernel messages: --- source srck { pipe("/proc/kmsg"); }; --- It works w/o a flaw for me and makes the klogd obsolete, another application which can't break :) greetz michael Michael Renner Inode Internet - Junior System Engineer _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
On Wed, Aug 29, 2001 at 08:53:26AM -0400, Nijs, Daniel wrote:
Hi Michael
That did indeed fix the problem, are you running 1.5.9? Now I have to write rules for two src's which could cause more overhead, so I would like to know if this is a bug of some sort, or normal behavior. Thanks for your help, this really works well.
redhat klogd is using unix-dgram sockets while the libc can send both unix-stream and unix-dgram. If you are using unix-stream only the libc will be able to log. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On Wed, 29 Aug 2001, Nijs, Daniel wrote:
Hi Michael
That did indeed fix the problem, are you running 1.5.9? Now I have to write rules for two src's which could cause more overhead, so I would like to know if this is a bug of some sort, or normal behavior. Thanks for your help, this really works well.
Hi Daniel! I'm currently using syslog-ng 1.4.11 because I dont have the time to play around with the newer versions. The 1.4 branch is stable, and as soon as 1.6 is released i will think about upgrading. There are also a bunch of new configuration changes which (AFAIK) aren't yet documented in the online help, and I hate browsing through mailing list archives :). I never tried getting klogd to work with syslog-ng, because it offered a native option of getting the kernel messages. But you can put as many sources as you want in one source-definition, e.g. source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); }; should do the trick. That solution was impractical for me, because i would have to filter much more out of one big stream of data. Now i've got 2 logfiles for the kernel-source, one iptables-log and one for the other kernel messages. I think the overhead generated by the two log sources is so small that its negligible, it's just a bigger config file :) greetz michael
participants (3)
-
Balazs Scheidler
-
Michael Renner
-
Nijs, Daniel