[syslog-ng]Re: Jailing syslog-ng on OpenBSD 3.5

syslog-ng@lists.balabit.hu syslog-ng@lists.balabit.hu
Mon, 26 Jul 2004 13:58:07 +0100


Sorry, realised my mistake. I mistakenly thought that /dev/log was a
static, everpresent device, I now realise that it is created and
destroyed when the standard syslogd starts and exits, respectively.

It appears I will have to run two versions of syslog-ng, with one
chrooted in /jail and one running normally (under a different user).
The one in /jail will be used to listen for logs coming in through TCP
(this machine will be a loghost).

I may return and answer my own questions in the future too. ;)

mark


On Mon, Jul 26, 2004 at 01:43:29PM +0100, markzero@logik.ath.cx wrote:
> Hello.
> 
> I'm having difficulty jailing syslog-ng under OpenBSD 3.5.
> 
> My exact steps so far (after having added group _syslogng and user
> _syslogng):
> 
> # mkdir -p /jail/sysng
> # mkdir -p /jail/sysng/usr/local/sbin
> # mkdir -p /jail/sysng/usr/lib
> # mkdir -p /jail/sysng/usr/libexec
> # mkdir -p /jail/sysng/dev
> # mkdir -p /jail/sysng/var/log
> # mkdir -p /jail/sysng/etc/syslog-ng
> 
> # cp /usr/local/sbin/syslog-ng /jail/sysng/usr/local/sbin
> # cp /usr/lib/libc.so.30.3 /jail/sysng/usr/lib
> # cp /usr/libexec/ld.so /jail/sysng/usr/libexec
> # cp /etc/syslog-ng/syslog-ng.conf /jail/sysng/etc/syslog-ng/
> 
> # chown -R _syslogng._syslogng /jail/sysng
> # ln /dev/log /jail/sysng/dev/log
> 
> I should explain that I installed syslog-ng from a package, as I have no
> access to a compiler on this machine (and my other machine is currently
> in pieces being repaired) - therefore I just moved the binaries into
> the jail.
> 
> Running the command:
> 
> # chroot -g _syslogng -u _syslogng /jail/sysng /usr/local/sbin/syslog-ng
> 
> Does not give any errors, and log files are indeed created in
> /jail/var/log (as per the configuration file) - HOWEVER, nothing on
> the system is actually logged. Syslog-ng logs its own 'birth and death'
> but does not, for example, log mail or even the reboot command.
> 
> Is there some glaring error here? The debugging output from syslog-ng
> gives no errors either, I'm lost as to where to go next to track down
> the problem.
> 
> mark
> 
> ps: I excluded my config as it's pretty much the stock sample config
> with uccp and ppp removed. If this is relevant, I will attach it to my
> next email.