[syslog-ng] patterndb and intrusion prevention

Matt Zagrabelny mzagrabe at d.umn.edu
Tue Aug 27 16:30:49 CEST 2013


Hi Valentijn,

Comments inline.

On Tue, Aug 27, 2013 at 8:37 AM, Valentijn Sessink <valentyn at blub.net> wrote:
> Hi Matti,
>
> I'm having problems as well with my own setup, since migrating to
> syslog-ng 3.3.4. I only just found out (see my other message from
> today). I'm getting "I/O error occurred while writing; fd='24',
> error='Illegal seek (29)'" all over the place. I am guessing (from
> reading the source, but still, guessing, as I did not really trace
> calls), that somewhere, an open(O_APPEND) changed to the current lseek()
> behaviour.
>
> And, from what I tried, using lseek() on a /proc file does not seem to work.
>
> So there: my own setup doesn't work.

Interesting. I am running 3.3.9-1 from Debian/Sid.

I did some looking at the logs after I sent my original message and found these:

Error opening file for writing;
filename='/proc/net/xt_recent/syslogblock', error='No such file or
directory (2)'

Unfortunately my "free" time has been scooped up by other projects and
I haven't gotten back to this one.


> I worked around it by using
> destination d_syslogblock { program ("/bin/cat >
> /proc/net/xt_recent/syslogblock" template("+${usracct.device}\n")
>
> which somewhat works. It seems to do some buffering so it is not quite fast.
>
> I'm hoping to get this resolved in a better way though, because calling
> external programs (even if they're "cat") is what I was trying to avoid...
>
> I hope this helps you. Did you find a way out?

Not yet. :/

Cheers,

-mz


More information about the syslog-ng mailing list