[syslog-ng] "Illegal seek" with file("/proc/net/xt_recent/violators")
Valentijn Sessink
valentyn at blub.net
Tue Aug 27 13:27:35 CEST 2013
Hello list,
I'm replying to a 2 year old issue - now it has become a problem :-S
I'm using syslog-ng to file() messages into
/proc/net/xt_recent/violators. This used to work well in version
3.1.2-1~lucid1 (Ubuntu 10.04), but now, in 3.3.4.dfsg-2ubuntu1 (Ubuntu
12.04), I get:
Aug 27 13:01:55 duikboot syslog-ng[13037]: I/O error occurred while
writing; fd='23', error='Illegal seek (29)'
Aug 27 13:01:55 duikboot syslog-ng[13037]: Suspending write operation
because of an I/O error; fd='23', time_reopen='60'
This is probably because the /proc/net/xt_recent/somefile isn't a real file.
However, I can't find what to do about this. Is there a special setup
that makes it possible to use file() for files in /proc?
Background:
We use syslog-ng to protect our servers, with the following setup:
iptables -A INPUT -m recent \
--rcheck --hitcount 5 --seconds 60 --name violators -j DROP
You can add IP adresses by stuffing them into a file in /proc:
echo '+127.0.0.1' > /proc/net/xt_recent/violators
... will add 127.0.0.1 to the "violators" with the current time.
Syslog-ng does this for me, based on the following configuration options:
destination df_ipt_recent { file ("/proc/net/xt_recent/violator"
template("+${usracct.device}\n") ); };
filter f_ipt_recent { tags("secevt") and match("REJECT"
value("secevt.verdict")); };
log { source (s_all); parser(pattern_db);
filter(f_addtofirewall);destination(df_addtofirewall);};
As said, this issue has been discussed before, in a somewhat different
form; the problem back then wasn't the seek() error. See my message on
this mailing list on 17-02-11 16:02.
Best regards,
Valentijn
More information about the syslog-ng
mailing list