[syslog-ng] "Illegal seek" with file("/proc/net/xt_recent/violators")

[Valentijn Sessink]

Hello list,

I'm replying to a 2 year old issue - now it has become a problem :-S

I'm using syslog-ng to file() messages into 
/proc/net/xt_recent/violators. This used to work well in version 
3.1.2-1~lucid1 (Ubuntu 10.04), but now, in 3.3.4.dfsg-2ubuntu1 (Ubuntu 
12.04), I get:

Aug 27 13:01:55 duikboot syslog-ng[13037]: I/O error occurred while 
writing; fd='23', error='Illegal seek (29)'
Aug 27 13:01:55 duikboot syslog-ng[13037]: Suspending write operation 
because of an I/O error; fd='23', time_reopen='60'

This is probably because the /proc/net/xt_recent/somefile isn't a real file.

However, I can't find what to do about this. Is there a special setup 
that makes it possible to use file() for files in /proc?

Background:
We use syslog-ng to protect our servers, with the following setup:
iptables -A INPUT -m recent \
       --rcheck --hitcount 5 --seconds 60 --name violators -j DROP

You can add IP adresses by stuffing them into a file in /proc:
echo '+127.0.0.1' > /proc/net/xt_recent/violators
... will add 127.0.0.1 to the "violators" with the current time.

Syslog-ng does this for me, based on the following configuration options:

destination df_ipt_recent { file ("/proc/net/xt_recent/violator"
template("+${usracct.device}\n") ); };
filter f_ipt_recent { tags("secevt") and match("REJECT"
value("secevt.verdict")); };
log { source (s_all); parser(pattern_db);
filter(f_addtofirewall);destination(df_addtofirewall);};

As said, this issue has been discussed before, in a somewhat different 
form; the problem back then wasn't the seek() error. See my message on 
this mailing list on 17-02-11 16:02.

Best regards,

Valentijn