[syslog-ng] [RFC]: syslog-ng and UNIX credentials

Gergely Nagy algernon at balabit.hu
Tue Dec 10 16:15:21 CET 2013


We had a short chat with Bazsi earlier today, and he's working on a
feature that will allow syslog-ng to pick out UNIX credentials passed
through unix sockets (such as /dev/log). This means that we receive the
PID, the UID and the GID of the sending program, and can opt to store it
someplace. So far, syslog-ng was not doing that, but with the new
feature, it becomes possible to store these.

The idea at the moment is, is to have a flag for unix-* sources that
enables collecting these credentials. If turned off (the default, unless
using system(), which would turn it on for /dev/log), nothing changes.
If turned on, it would replace the $PID sent over the socket with the
one extracted from credentials. It would also add the "${.unix.GID}" and
"${.unix.UID}" properties to the log message, along with "${.unix.EXE}"
on platforms that support looking up the executable (Linux, for now).

We'd like to invite the broader community to share your feelings about
this feature, the naming of the properties and how You would like it to
work, if you're interested in making use of this functionality.


More information about the syslog-ng mailing list