[syslog-ng] Question about syntax for source

Robert Fekete frobert at balabit.com
Fri Apr 15 20:37:34 CEST 2011 

On 04/15/2011 04:25:31 PM, Balazs Scheidler wrote:
> On Fri, 2011-04-08 at 11:14 +0200, Sandor Geller wrote:
> > Hello Bazsi,
> > 
> > On Fri, Apr 8, 2011 at 12:36 AM, Balazs Scheidler 
> <bazsi at balabit.hu>
> wrote:
> > > On Mon, 2011-04-04 at 12:18 +0200, Sandor Geller wrote:
> > >> Hello,
> > >>
> > >> On Sun, Apr 3, 2011 at 9:02 PM, Gergely Nagy
> <algernon at balabit.hu> wrote:
> > >> > Phusion <phusion2k at gmail.com> writes:
> > >> >
> > >> >> When trying to convert this for syslog-ng 3.x under OpenBSD. 
> I
> have an
> > >> >> error. When I use syslog-ng -s -f ../syslog-ng.conf it works,
> but when
> > >> >> I run syslog-ng -p /var/run/syslog-ng.pid, I get the 
> following
> error.
> > >> >>
> > >> >> # /usr/local/sbin/syslog-ng -p /var/run/syslog-ng.pid
> > >> >> WARNING: you are using the pipe driver, underlying file is 
> not
> a FIFO,
> > >> >> it should be used by file(); filename='/dev/klog'
> > >> >
> > >> > The warning pretty much tells you what to do, and why: change
> pipe() to
> > >> > file(), because /dev/klog appears to be something else than
> your common
> > >> > pipe.
> > >>
> > >> This warning is misleading. As reported a while ago using file()
> for
> > >> anything else than non-regular files could lead to severe
> problems.
> > >>
> > >> > In syslog-ng 2.x, things worked a bit differently (the details
> escape
> > >> > me, I'm afraid), which changed in 3.x, and thus, the warning 
> is
> printed.
> > >> >
> > >> >> Here is the current source line using syslog-ng 3.0 under
> OpenBSD 4.8.
> > >> >>
> > >> >> source local { internal(); pipe("/dev/klog"
> program_override("kernel:
> > >> >> ")); unix-dgram("/dev/log"); };
> > >> >
> > >> > Change it to something like this:
> > >> >
> > >> > source local {
> > >> >       internal();
> > >> >       file("/dev/klog" program_override("kernel: "));
> > >> >       unix-dgram("/dev/log");
> > >> > };
> > >>
> > >> Don't do this. Commit 61940d18c205d36cb7dd0b30dba741cc8459e2ac
> fixed
> > >> the underlying problem in the 3.2 branch. When a new version 
> will
> get
> > >> released then the warning would remain but at least syslog-ng
> would
> > >> actually check that the source is a regular file and assume
> > >> readability only in this case, otherwise it will poll() the
> source
> > >> which is the wanted behaviour for character devices and pipes.
> > >
> > > But If I remember correctly, that only affected 3.2, right?
> > 
> > In 3.0.8 using pipe() on a non-fifo source or using file() on a 
> fifo
> > source was a fatal error. In 3.1.3 the errors were downgraded to
> > warnings, 3.2 behaves more or less the same. I haven't checked 3.3
> > yet.
> > 
> > In 3.2 git there is an additional check so LW_ALWAYS_WRITABLE is 
> set
> > only for regular file destinations which fixes the blocking write
> > problem reported on the list a while ago but there is still a
> warning
> > which could get suppressed. I think pipe should be the preferred
> > driver for anything else than regular files, an extra poll() won't
> > hurt. What do you think about this patch?
> > 
> > --- affile.c    2011-02-13 14:34:38.000000000 +0100
> > +++ affile.c-new        2011-04-08 11:13:52.000000000 +0200
> > @@ -46,6 +46,7 @@
> >  {
> >    cap_t saved_caps;
> >    struct stat st;
> > +  gboolean is_regular;
> > 
> >    if (strstr(name, "../") || strstr(name, "/.."))
> >      {
> > @@ -75,20 +76,21 @@
> >    *fd = -1;
> >    if (stat(name, &st) >= 0)
> >      {
> > -      if (is_pipe && !S_ISFIFO(st.st_mode))
> > +      is_regular = !!S_ISREG(st.st_mode);
> > +      if (!is_pipe && !is_regular)
> >          {
> > -          msg_warning("WARNING: you are using the pipe driver,
> > underlying file is not a FIFO, it should be used by file()",
> > +          msg_warning("WARNING: you are using the file driver,
> > underlying file is not a regular file, it should be used by pipe
> ()",
> >                      evt_tag_str("filename", name),
> >                      NULL);
> >          }
> > -      else if (!is_pipe && S_ISFIFO(st.st_mode))
> > +      else if (is_pipe && is_regular)
> >          {
> > -          msg_warning("WARNING: you are using the file driver,
> > underlying file is a FIFO, it should be used by pipe()",
> > +          msg_warning("WARNING: you are using the pipe driver,
> > underlying file is a regular file, it should be used by file()",
> >                        evt_tag_str("filename", name),
> >                        NULL);
> >          }
> >        if (regular)
> > -        *regular = !!S_ISREG(st.st_mode);
> > +        *regular = is_regular;
> >      }
> >    else if (regular)
> >      *regular = TRUE;
> > 
> > Regards,
> > 
> > Sandor
> > 
> 
> The intent has always been to use pipe() for named pipes, and file()
> for
> everything else.
> 
> I'm now thinking about introducing a device() destination/source 
> which
> would be equivalent to file(), but follow_freq() would not be 
> allowed.
> 
> What do you think?
> 
Sorry if I'm missing something, but do we really need a separate driver 
that is almost entirely the same as another one?

Robi

> -- 
> Bazsi
> 
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
> 
>

More information about the syslog-ng mailing list