[syslog-ng]sync question, feature request

Thu, 11 Jan 2001 09:49:31 -0500

hi,

Wiktor Wodecki wrote:
> 
> hello again (sorry if I start to irk you :-),
> 
> I'm a little bit irritated about the sync option. As I understood it
> from the docs (my tests confirmed them) syslog-ng holds up to n lines in
> a buffer before they get written down to disk. However, what happens if
> a machine dies and the buffer on the loggingserver isn't full yet? I'm
> not quite sure, but what would happen to the data in buffer? I didn't
> test it, but I think time_reap() would catch this and close the file
> after m minutes. However, imagine the following situation: You've got a
> central logginghost and you know that an intruder is working right at
> the moment on that machine; Seconds later the machine dies and you want
> to know what the last syslog message was. In this case one'd have to
> wait till syslog-ng closes that file. It would be nice to have a handler
> or a command line argument to make syslog-ng write down all current
> buffers to disk.
In the case you specify, you want sync(0) to write everything
immediately. The sync option is mainly to lighten the load on the
server.

If there is an intruder on your machine, you can't trust the logs
anyway. In that case, you want some type of central logging server. That
way, you havea known good copy of the logs on a nother machine. 
Setting up a central logging host has some other advantages too. I could
see the error messages from an SGI with a dying hard drive. This helped
greatly with diagnosing the problem. Obviously, if I hadn't had the
logging server, I couldn't have seen those messages because of the dead
hard drive.

In addition, if all of your hosts log to one file, then it's very easy
to see  certain types of scans, such as someone scanning the whole
subnet for machines with anonymous ftp open.

> I've got another question, I haven't really looked at the 1.5 tree yet,
> but I think about making patch to syslog-ng which would include the
> strftime functions. I want to be able to use things like $Y/$m/$d in the
> destination file path, this would effectively eliminate logrotation
> scripts. Is there such an effort already in work or is this feature
> planned?
There already is something similar, I think it's $MONTH, $DAY, and
$YEAR. use it in the destination statement.

Jason Edgecombe