[syslog-ng] Question about syntax for source

Phusion phusion2k at gmail.com
Fri Apr 8 18:52:19 CEST 2011 

On Fri, Apr 8, 2011 at 4:14 AM, Sandor Geller
<Sandor.Geller at morganstanley.com> wrote:
> Hello Bazsi,
>
> On Fri, Apr 8, 2011 at 12:36 AM, Balazs Scheidler <bazsi at balabit.hu> wrote:
>> On Mon, 2011-04-04 at 12:18 +0200, Sandor Geller wrote:
>>> Hello,
>>>
>>> On Sun, Apr 3, 2011 at 9:02 PM, Gergely Nagy <algernon at balabit.hu> wrote:
>>> > Phusion <phusion2k at gmail.com> writes:
>>> >
>>> >> When trying to convert this for syslog-ng 3.x under OpenBSD. I have an
>>> >> error. When I use syslog-ng -s -f ../syslog-ng.conf it works, but when
>>> >> I run syslog-ng -p /var/run/syslog-ng.pid, I get the following error.
>>> >>
>>> >> # /usr/local/sbin/syslog-ng -p /var/run/syslog-ng.pid
>>> >> WARNING: you are using the pipe driver, underlying file is not a FIFO,
>>> >> it should be used by file(); filename='/dev/klog'
>>> >
>>> > The warning pretty much tells you what to do, and why: change pipe() to
>>> > file(), because /dev/klog appears to be something else than your common
>>> > pipe.
>>>
>>> This warning is misleading. As reported a while ago using file() for
>>> anything else than non-regular files could lead to severe problems.
>>>
>>> > In syslog-ng 2.x, things worked a bit differently (the details escape
>>> > me, I'm afraid), which changed in 3.x, and thus, the warning is printed.
>>> >
>>> >> Here is the current source line using syslog-ng 3.0 under OpenBSD 4.8.
>>> >>
>>> >> source local { internal(); pipe("/dev/klog" program_override("kernel:
>>> >> ")); unix-dgram("/dev/log"); };
>>> >
>>> > Change it to something like this:
>>> >
>>> > source local {
>>> >       internal();
>>> >       file("/dev/klog" program_override("kernel: "));
>>> >       unix-dgram("/dev/log");
>>> > };
>>>
>>> Don't do this. Commit 61940d18c205d36cb7dd0b30dba741cc8459e2ac fixed
>>> the underlying problem in the 3.2 branch. When a new version will get
>>> released then the warning would remain but at least syslog-ng would
>>> actually check that the source is a regular file and assume
>>> readability only in this case, otherwise it will poll() the source
>>> which is the wanted behaviour for character devices and pipes.
>>
>> But If I remember correctly, that only affected 3.2, right?
>
> In 3.0.8 using pipe() on a non-fifo source or using file() on a fifo
> source was a fatal error. In 3.1.3 the errors were downgraded to
> warnings, 3.2 behaves more or less the same. I haven't checked 3.3
> yet.
>
> In 3.2 git there is an additional check so LW_ALWAYS_WRITABLE is set
> only for regular file destinations which fixes the blocking write
> problem reported on the list a while ago but there is still a warning
> which could get suppressed. I think pipe should be the preferred
> driver for anything else than regular files, an extra poll() won't
> hurt. What do you think about this patch?
>
> --- affile.c    2011-02-13 14:34:38.000000000 +0100
> +++ affile.c-new        2011-04-08 11:13:52.000000000 +0200
> @@ -46,6 +46,7 @@
>  {
>   cap_t saved_caps;
>   struct stat st;
> +  gboolean is_regular;
>
>   if (strstr(name, "../") || strstr(name, "/.."))
>     {
> @@ -75,20 +76,21 @@
>   *fd = -1;
>   if (stat(name, &st) >= 0)
>     {
> -      if (is_pipe && !S_ISFIFO(st.st_mode))
> +      is_regular = !!S_ISREG(st.st_mode);
> +      if (!is_pipe && !is_regular)
>         {
> -          msg_warning("WARNING: you are using the pipe driver,
> underlying file is not a FIFO, it should be used by file()",
> +          msg_warning("WARNING: you are using the file driver,
> underlying file is not a regular file, it should be used by pipe()",
>                     evt_tag_str("filename", name),
>                     NULL);
>         }
> -      else if (!is_pipe && S_ISFIFO(st.st_mode))
> +      else if (is_pipe && is_regular)
>         {
> -          msg_warning("WARNING: you are using the file driver,
> underlying file is a FIFO, it should be used by pipe()",
> +          msg_warning("WARNING: you are using the pipe driver,
> underlying file is a regular file, it should be used by file()",
>                       evt_tag_str("filename", name),
>                       NULL);
>         }
>       if (regular)
> -        *regular = !!S_ISREG(st.st_mode);
> +        *regular = is_regular;
>     }
>   else if (regular)
>     *regular = TRUE;
>
> Regards,
>
> Sandor
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>

I'm still having problems getting the kernel messages. I currently
have the following. This is 3.1.1 in OpenBSD 4.8.

@version: 3.0
options { keep_hostname(yes); long_hostnames(off); flush_lines(0); };
source local { internal(); pipe("/dev/klog"
program_override("kernel")); unix-dgram("/dev/log"); };
destination ls_kernel { file("/var/log/kernel.log"); };
filter f_kernel { match("kernel" value("MESSAGE")); };
filter f_server { host("server"); };
log { source(local); filter(f_server); filter(f_kernel);
destination(ls_kernel); };

Please advise.

Phusion

More information about the syslog-ng mailing list