[syslog-ng] Output to file in /proc

Valentijn Sessink valentyn at blub.net
Thu Feb 17 16:02:07 CET 2011


Hello list,

As most of the functionality of "sshguard", "fail2ban" and others is in
syslog-ng, I'm trying to use syslog-ng to add entries to my Linux kernel
based firewall (iptables).

I'm almost ready to implement one, but I have a question about
undeliverable log lines: what happens if a certain file() destination
blocks? Will syslog-ng retry to deliver the same message, or will it
lose the message?

What I'm doing is using the "ipt_recent" module; with this module, one
can check if a certain IP address was seen before. For example, the
following rule will block you if you were seen 5 or more times
("hitcount 5") in the "violators" list last minute ("seconds 60):

iptables -A INPUT -m recent \
    --rcheck --hitcount 5 --seconds 60 --name violators -j DROP

The fun part is, that you can add IP adresses by stuffing them into a
file in /proc:
echo '+127.0.0.1' > /proc/net/xt_recent/violators
... will add 127.0.0.1 to the "violators" with the current time.

However:
echo 'whatever' > /proc/net/xt_recent/violators
... gives an error: Invalid argument (22)

As far as I can see, syslog-ng will not try again to deliver the same
message; but is this by design? I.e. can I trust syslog-ng to not
"block" because of a single malformed IP address?

Because then, an implementation of sshguard could be simply swapped with
a simple:

destination df_ipt_recent { file ("/proc/net/xt_recent/blocker"
template("+${usracct.device}\n") ); };
filter f_ipt_recent { tags("secevt") and match("REJECT"
value("secevt.verdict")); };
log { source (s_all); parser(pattern_db);
filter(f_addtofirewall);destination(df_addtofirewall);};

... which would be cool!

Best regards,

Valentijn


More information about the syslog-ng mailing list