[syslog-ng]Strange Directories created [I have read the listserv to no avail]

Nate Campi syslog-ng@lists.balabit.hu
Sat, 1 Mar 2003 10:54:07 -0800 

On Sun, Mar 02, 2003 at 07:20:29AM +1300, Harry Hoffman wrote:
> 
> Hmmm, that quite interesting as all of these strange directories are created 
> from Solaris hosts running sun's syslogd.
> Are you seeing the same thing? I don't see this behaviour on the Linux 
> machines, but I do - very rarely - see it on the NT/2k/XP machines running NT-
> syslog.

Solaris syslogd (and SVR4 in general I think) sends syslog messages
across the network sans hostname, but everything else intact[1].

Under some unknown circumstances syslog-ng doesn't rewrite the hostname
as it is supposed to, as evidenced by your directories with names like
SCSI, etc. Since it only happens over UDP (for me anyways), that might
be a clue for someone inspecting the code.

I'd say roll out syslog-ng to all your solaris hosts. I'm certainly glad
I did[2].

1. Notes on syslog formats:
  http://cert.uni-stuttgart.de/archive/loganalysis/2002/01/msg00021.html

2. My notes on replacing solaris syslogd (2.6 - 2.9) with syslog-ng:

Compile syslog-ng on a 2.6 box and push it out to all same and newer
releases, binary compatibility handles it fine. 2.6-2.8 modify
/usr/lib/newsyslog to 'kill -HUP `cat /var/run/syslog-ng.pid`' instead
of (IIRC) /etc/syslog.pid, and for sol9 do the same to the lines in
/etc/logadm.conf (s|/var/run/syslog.pid|/var/run/syslog-ng.pid|). 

Remove any loghost lines from /etc/syslog.conf in case some intruder is
too stupid to notice you're not running syslogd. You could use lance
spitzners tricks to hide your syslog-ng.conf if you're really paranoid,
search the web if you're interested. 

Modify /etc/init.d/syslog (/etc/rc2.d/S74syslog) to start syslog-ng
instead of syslogd, and you should also add a "reload" line that just
does the 'kill -HUP `cat /var/run/syslog-ng.pid`'

I think that's all of it, it's not really very complicated, you just
needs some automated way of doing it on all hosts reliably. I use
cfengine to ensure all my hosts are setup properly.
-- 
Nate Campi    http://www.campin.net