[syslog-ng] Compiled 3.0.3 on CentOS 5.3 with spoof source - not working
Balazs Scheidler
bazsi at balabit.hu
Wed Jul 22 12:58:22 CEST 2009
On Tue, 2009-07-21 at 06:35 -0400, Scott Ware wrote:
> Here is the output that I get from running "strace":
>
> execve("/usr/local/sbin/syslog-ng", ["/usr/local/sbin/syslog-ng"], [/*
> 22 vars */]) = 0
> brk(0) = 0x8814000
> access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
> directory)
> open("/etc/ld.so.cache", O_RDONLY) = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=41643, ...}) = 0
> mmap2(NULL, 41643, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f70000
> close(3) = 0
> open("/lib/librt.so.1", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200\10\215
> \0004\0\0\0"..., 512) = 512
> fstat64(3, {st_mode=S_IFREG|0755, st_size=44060, ...}) = 0
> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
> 0) = 0xb7f6f000
> mmap2(0x8cf000, 33324, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
> 3, 0) = 0x8cf000
> mmap2(0x8d6000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
> MAP_DENYWRITE, 3, 0x6) = 0x8d6000
> close(3) = 0
> open("/lib/libnsl.so.1", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0 \361\335\0004
> \0\0\0"..., 512) = 512
> fstat64(3, {st_mode=S_IFREG|0755, st_size=101404, ...}) = 0
> mmap2(0xddc000, 92104, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
> 3, 0) = 0xddc000
> mmap2(0xdef000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
> MAP_DENYWRITE, 3, 0x12) = 0xdef000
> mmap2(0xdf1000, 6088, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
> MAP_ANONYMOUS, -1, 0) = 0xdf1000
> close(3) = 0
> open("/lib/libglib-2.0.so.0", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`m\216\0004\0
> \0\0"..., 512) = 512
> fstat64(3, {st_mode=S_IFREG|0755, st_size=644472, ...}) = 0
> mmap2(0x8da000, 646636, PROT_READ|PROT_EXEC, MAP_PRIVATE|
> MAP_DENYWRITE, 3, 0) = 0x8da000
> mmap2(0x977000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
> MAP_DENYWRITE, 3, 0x9c) = 0x977000
> close(3) = 0
> open("/usr/lib/libevtlog.so.0", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\17\0\0004
> \0\0\0"..., 512) = 512
> fstat64(3, {st_mode=S_IFREG|0755, st_size=12044, ...}) = 0
> mmap2(NULL, 14988, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
> 0) = 0xb2b000
> mmap2(0xb2e000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
> MAP_DENYWRITE, 3, 0x2) = 0xb2e000
> close(3) = 0
> open("/lib/libwrap.so.0", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300=\207\0004
> \0\0\0"..., 512) = 512
> fstat64(3, {st_mode=S_IFREG|0755, st_size=32824, ...}) = 0
> mmap2(0x872000, 32188, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
> 3, 0) = 0x872000
> mmap2(0x879000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
> MAP_DENYWRITE, 3, 0x7) = 0x879000
> close(3) = 0
> open("/lib/libc.so.6", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320\37t\0004
> \0\0\0"..., 512) = 512
> fstat64(3, {st_mode=S_IFREG|0755, st_size=1606808, ...}) = 0
> mmap2(0x72c000, 1324452, PROT_READ|PROT_EXEC, MAP_PRIVATE|
> MAP_DENYWRITE, 3, 0) = 0x72c000
> mmap2(0x86a000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
> MAP_DENYWRITE, 3, 0x13e) = 0x86a000
> mmap2(0x86d000, 9636, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
> MAP_ANONYMOUS, -1, 0) = 0x86d000
> close(3) = 0
> open("/lib/libpthread.so.0", O_RDONLY) = 3
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000X\212\0004
> \0\0\0"..., 512) = 512
> fstat64(3, {st_mode=S_IFREG|0755, st_size=125612, ...}) = 0
> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
> 0) = 0xb7f6e000
> mmap2(0x8a1000, 90592, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
> 3, 0) = 0x8a1000
> mmap2(0x8b4000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
> MAP_DENYWRITE, 3, 0x12) = 0x8b4000
> mmap2(0x8b6000, 4576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
> MAP_ANONYMOUS, -1, 0) = 0x8b6000
> close(3) = 0
> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
> 0) = 0xb7f6d000
> set_thread_area({entry_number:-1 -> 6, base_addr:0xb7f6d6c0,
> limit:1048575, seg_32bit:1, contents:0, read_exec_only:0,
> limit_in_pages:1, seg_not_present:0, useable:1}) = 0
> mprotect(0x8b4000, 4096, PROT_READ) = 0
> mprotect(0x86a000, 8192, PROT_READ) = 0
> mprotect(0xdef000, 4096, PROT_READ) = 0
> mprotect(0x8d6000, 4096, PROT_READ) = 0
> mprotect(0x723000, 4096, PROT_READ) = 0
> munmap(0xb7f70000, 41643) = 0
> set_tid_address(0xb7f6d708) = 16916
> set_robust_list(0xb7f6d710, 0xc) = 0
> futex(0xbfb87584, FUTEX_WAKE_PRIVATE, 1) = 0
> rt_sigaction(SIGRTMIN, {0x8a53d0, [], SA_SIGINFO}, NULL, 8) = 0
> rt_sigaction(SIGRT_1, {0x8a52e0, [], SA_RESTART|SA_SIGINFO}, NULL, 8)
> = 0
> rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
> getrlimit(RLIMIT_STACK, {rlim_cur=10240*1024, rlim_max=RLIM_INFINITY})
> = 0
> uname({sys="Linux", node="L0982iappv0100.ius.meijer.com", ...}) = 0
> brk(0) = 0x8814000
> brk(0x8835000) = 0x8835000
> gettimeofday({1248172733, 541317}, NULL) = 0
> ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon
> echo ...}) = 0
> ioctl(0, TIOCNOTTY) = 0
> setsid() = 16916
> setrlimit(RLIMIT_NOFILE, {rlim_cur=4*1024, rlim_max=4*1024}) = 0
> pipe([3, 4]) = 0
> clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|
> SIGCHLD, child_tidptr=0xb7f6d708) = 16917
> close(4) = 0
> read(3, "0\n", 6) = 2
> close(3) = 0
> exit_group(0) = ?
>
this is the strace of the startup code and not relevant. please start
syslog-ng and attach strace to the running process using "-p <pid>".
Then reproduce the problem and post the relevant strace dump.
Thanks.
>
> On Tue, Jul 21, 2009 at 5:04 AM, Balazs Scheidler <bazsi at balabit.hu>
> wrote:
> On Sun, 2009-07-19 at 12:10 -0400, Scott Ware wrote:
> > I have SELinux disabled, and I am running it as root.
> >
>
>
> then please run strace on the syslog-ng process to see why it
> gets
> permission denied problems.
>
>
>
> > On Thu, Jul 16, 2009 at 6:13 PM, Balazs Scheidler
> <bazsi at balabit.hu>
> > wrote:
> >
> > On Tue, 2009-07-14 at 08:30 -0400, Scott Ware wrote:
> > > So, I complied Syslog-ng with the
> --enable-spoof-source
> > option, and
> > > everything installed fine. However, when I have
> the
> > spoof_source(yes)
> > > option in the config file, nothing gets
> re-directed to my
> > logging
> > > destination.
> > >
> > > If I take the option out, everything gets
> re-directed. Can
> > you
> > > possible help me? Thanks!
> >
> >
> > hmm.. does syslog-ng have the necessary permissions.
> SELinux
> > comes to my
> > mind.
>
> >
> --
> Bazsi
>
>
> ______________________________________________________________________________
> Member info:
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
--
Bazsi
More information about the syslog-ng
mailing list