[syslog-ng] Output to file in /proc

Balazs Scheidler bazsi at balabit.hu
Wed Feb 23 16:19:50 CET 2011


On Thu, 2011-02-17 at 16:02 +0100, Valentijn Sessink wrote:
> Hello list,
> 
> As most of the functionality of "sshguard", "fail2ban" and others is in
> syslog-ng, I'm trying to use syslog-ng to add entries to my Linux kernel
> based firewall (iptables).
> 
> I'm almost ready to implement one, but I have a question about
> undeliverable log lines: what happens if a certain file() destination
> blocks? Will syslog-ng retry to deliver the same message, or will it
> lose the message?
> 
> What I'm doing is using the "ipt_recent" module; with this module, one
> can check if a certain IP address was seen before. For example, the
> following rule will block you if you were seen 5 or more times
> ("hitcount 5") in the "violators" list last minute ("seconds 60):
> 
> iptables -A INPUT -m recent \
>     --rcheck --hitcount 5 --seconds 60 --name violators -j DROP
> 
> The fun part is, that you can add IP adresses by stuffing them into a
> file in /proc:
> echo '+127.0.0.1' > /proc/net/xt_recent/violators
> ... will add 127.0.0.1 to the "violators" with the current time.
> 
> However:
> echo 'whatever' > /proc/net/xt_recent/violators
> ... gives an error: Invalid argument (22)
> 
> As far as I can see, syslog-ng will not try again to deliver the same
> message; but is this by design? I.e. can I trust syslog-ng to not
> "block" because of a single malformed IP address?
> 

if a write error occurs, syslog-ng suspends the destination question for
time_reopen() amount of time, then will try to write it again with the
last unsuccessful write.

which will probably cause the same error message to be returned...

do you perhaps have a suggestion what we should do instead? bear in mind
that we have to handle ENOSPC (=disk full) errors properly.

-- 
Bazsi




More information about the syslog-ng mailing list