[syslog-ng] Creating a named pipe (FIFO)

Fri Mar 24 01:22:33 CET 2006

As a feature request / bonus to this conversation, has any investigation
been done into adding create fifo ability to the pipe source driver. Im sure
that everyone could benefit from pipes that are created and torn down by
syslog-ng so that unless syslog-ng is holding the pipe open and holding
ownership of the pipe the pipe does not exist. This would be an extra added
bonus on the security front. Its an ok fix to have the pipe created by the
startup script and even torn down by that same script, however if for some
reason syslog-ng crashes or an administrator thinks it's a good idea to just
kill off the process that pipe hangs around and is a potential security
risk.

Its just an idea. Maybe someone can run with it.

William Bell II
CWIE Security

-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Evan Rempel
Sent: Wednesday, March 22, 2006 10:21 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Creating a named pipe (FIFO)

We do the opposite.

We wanted to use the message matching rules of syslog-ng to essentially
rewrite the facility.level (priority) of messages and then log them again.
To accomplish this, we have a "normal" syslog-ng running that listens on the
localhost:514 port that then logs to the local files, and to a central
syslog-ng server.

We then start a second instance of syslog-ng within the startup script for
the applications, such as apache.

- check for and create the named pipe(s)
- start syslong-ng specific to this application
- start the application that logs to the named pipe(s)

This instance of syslog-ng parses the messages and relogs via syslog to
localhost with a new set of priorities.

This allows local syslog files to contain the appriopriate facitliy.level of
messages as well as our central syslog-ng server. It also allows for a very
complicated set of match rules for a given application without making an
overly complicated syslong-ng configuration file. Basically you end up with
one configuration file per application.

This is just our syslog architecture, so your milage may vary.

Evan.

On Wed, 22 Mar 2006, Cary, Kim wrote:

> Date: Wed, 22 Mar 2006 09:11:26 -0800
> From: "Cary, Kim" <Kim.Cary at pepperdine.edu>
> Reply-To: Syslog-ng users' and developers' mailing list
>     <syslog-ng at lists.balabit.hu>
> To: syslog-ng at lists.balabit.hu
> Subject: [syslog-ng] Creating a named pipe (FIFO)
> 
> We create our pipes by placing the appropriate commands in the 
> syslog-ng startup file (/etc/init.d/syslog-ng).
>
> [Actually, we test to see if the pipe already exists; if not, we 
> create it. We do this creation in /var/run and here the pipe needs to 
> be recreated after every boot. We don't want to recreate it when we 
> restart the process (syslog-ng) that is feeding it, since recreating 
> it requires us to bounce the process that is reading from it (fisq.pl)].
>
> Kim Cary
> Infrastructure Security Administrator
> M-F 7-4 ~ 310 506 6655
>
>
>

--
Evan Rempel				erempel at uvic.ca
Senior Programmer Analyst		250.721.7691
Computing Services
University of Victoria
_______________________________________________
syslog-ng maillist  -  syslog-ng at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/syslog-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3608 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20060323/aed96049/smime-0001.bin