[syslog-ng] SEC and syslog

Hari Sekhon hpsekhon at googlemail.com
Fri Jan 11 14:32:53 CET 2008


Solis, Alex (EMC) wrote:
> Thanks for the reply!
>
> Is there any DoS possibility or performance problem when the program()
> destination is used in a high log volume environment?  I can see a
> problem if the program is spawned (executed) each time a log comes in,
> which might be very often.  I am hoping the program() destination keeps
> the program in memory; does it do this
The manual says that it keeps the program running and feeding it stdin.

http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/ch08s02.html#reference_destination_program

Version 2 restarts it if the program exits but it's not recommended to 
use any program that exits early after 1 message or you'll
open yourself up to a DoS. Version 1.6 doesn't do this so you'll need to 
write a script to watch that and restart
if necessary (I did this for example).

-h

-- 
Hari Sekhon



More information about the syslog-ng mailing list