Hello, It seems that syslog-ng starts external program to pipe logs through only at startup. The documentation says so too and there's nothing about restart. Syslog-ng only writes error message to internal log if program is terminated. Feb 3 15:48:17 loghost syslog-ng[971]: io.c: do_write: write() failed (errno 32), Broken pipe Feb 3 15:48:17 loghost syslog-ng[971]: pkt_buffer::do_flush(): Error flushing data But, in some cases it's desirable to watch for this external filter program and restart it when nesessary. Program may die suddenly or may need full restart for reconfiguration. I know that syslog-ng restarts external filter on SIGHUP, and sure i could write watcher script for automatic SIGHUPing of syslog-ng, but automatic filter program restart, perhaps with some frequency limitations would be quite useful. Is there any considerations against that? -- Dmitry Frolov, Zenon N.S.P. (095) 250-4629, http://www.zenon.net/
On Mon, Feb 03, 2003 at 04:15:14PM +0300, Dmitry Frolov wrote:
Hello,
It seems that syslog-ng starts external program to pipe logs through only at startup. The documentation says so too and there's nothing about restart.
Syslog-ng only writes error message to internal log if program is terminated.
Feb 3 15:48:17 loghost syslog-ng[971]: io.c: do_write: write() failed (errno 32), Broken pipe Feb 3 15:48:17 loghost syslog-ng[971]: pkt_buffer::do_flush(): Error flushing data
But, in some cases it's desirable to watch for this external filter program and restart it when nesessary. Program may die suddenly or may need full restart for reconfiguration. I know that syslog-ng restarts external filter on SIGHUP, and sure i could write watcher script for automatic SIGHUPing of syslog-ng, but automatic filter program restart, perhaps with some frequency limitations would be quite useful. Is there any considerations against that?
This is the intended behaviour as without this everybody would be putting program("mail -s alert `read`"); like scripts in their configuration which would effectively DoS their log server. Regardless syslog-ng 2 (the development branch) contains code to restart the program, but possibly it will come with a knob defaulting to FALSE whether this restart should be done. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On Mon, Feb 03, 2003 at 02:28:37PM +0100, Balazs Scheidler wrote:
It seems that syslog-ng starts external program to pipe logs through only at startup. The documentation says so too and there's nothing about restart.
Syslog-ng only writes error message to internal log if program is terminated.
Feb 3 15:48:17 loghost syslog-ng[971]: io.c: do_write: write() failed (errno 32), Broken pipe Feb 3 15:48:17 loghost syslog-ng[971]: pkt_buffer::do_flush(): Error flushing data
But, in some cases it's desirable to watch for this external filter program and restart it when nesessary. Program may die suddenly or may need full restart for reconfiguration. I know that syslog-ng restarts external filter on SIGHUP, and sure i could write watcher script for automatic SIGHUPing of syslog-ng, but automatic filter program restart, perhaps with some frequency limitations would be quite useful. Is there any considerations against that?
This is the intended behaviour as without this everybody would be putting
program("mail -s alert `read`");
like scripts in their configuration which would effectively DoS their log server.
Well, everything may be misused or misconfigured but it's not a syslog-ng problem... Sysadmin should consider this and other DoS possibilities when configuring logserver. Besides, there might be some minimal startup frequency limit, 1 second for example. Without automatic filter restart logserver loses log reporting functionality until next syslog-ng restart or SIGHUP.
Regardless syslog-ng 2 (the development branch) contains code to restart the program, but possibly it will come with a knob defaulting to FALSE whether this restart should be done.
Restart might be an option to 'program' destination which defaults to false.. -- Dmitry Frolov, Zenon N.S.P. (095) 250-4629, http://www.zenon.net/
participants (2)
-
Balazs Scheidler
-
Dmitry Frolov