[syslog-ng] syslog-ng inside LXC guest receives kernel messages from host
Scheidler, Balázs
balazs.scheidler at balabit.com
Wed Jan 3 07:29:28 UTC 2018
Iptables by default submit kernel logs via printk() and I am not sure that
is namespace aware, I am assuming that its not.
You are probably receiving these messages via the system source, which
opens /proc/kmsg (or /dev/kmsg).
Heres a related article:
https://github.com/lxc/lxd/issues/1397
For now the best course of action is to disable kernel logs in the guest
and rely on the host to collect them.
On Jan 3, 2018 05:26, <webman at manfbraun.de> wrote:
> Hello!
>
> It's the first time, that I use syslog-ng (although the
> plan ist old - due to the ability to use rabbitmq ...).
>
> The host (which is a VM too - do not know exactly which type)
> has the normal rsyslog installed (was "shipped" with it
> and not directly of my interest - so I kept it).
>
> What I am getting from the host are kernel messages
> generated from iptables logging - I know the log prefix.
> The guest has just now no iptables rules at all, but
> a running ulog2, which (no iptables rules at the
> moment) just runs, but has nothing to log and messages
> continue to arrive, after I've stopped it. I had
> a reboot in between, just to be sure, iptables has
> not something in its memory.
>
> There is a bridge to the host and the outside. While
> the iptables rules were active, I blocked port 514,
> but this does not change anything. As told, the messages
> now continue, even iptables has no active rules.
> A tcpdump inside the lxc guest does not show packages
> on port 514. BTW, the messages are logged with the
> hostname of the guest.
>
> syslog-ng uses the standards for it input (system, internal).
>
> Probably someone could shed some light on it. It is
> nothing more worrying, then messages from unknown
> source!
>
> Thanks anyway and best regards,
> Manfred
>
>
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180103/b1847895/attachment.html>
More information about the syslog-ng
mailing list