Package: psad
Version: 2.1.3-1.1
Even if rsyslog is the default syslog-type logging daemon
under lenny ( I'm using debian version 5.0.4, i.e. the stable
release of debian now ), the psad rsyslogd support is
incomplete. I'm using the default configuration file
/etc/psad/psad.conf contained in the psad package.
1)
The original psad configuration file /etc/psad/psad.conf
contains the SYSLOG_DAEMON variable, which ( according to
the description in psad.conf ) can have four different
types of variables - syslogd, syslog-ng, ulogd or metalog.
But the value rsyslogd is missing!!! Even if psad has
also an rsyslogd support.
The contents of the related part of psad.conf file is
following:
...
### Set the type of syslog daemon that is used. The SYSLOG_DAEMON
### variable accepts four possible values: syslogd, syslog-ng, ulogd,
### or metalog.
SYSLOG_DAEMON syslogd;
...
However, psad has also an rsyslogd support. The psad.conf file
contains also an ETC_RSYSLOG_CONF variable:
...
ETC_RSYSLOG_CONF /etc/rsyslog.conf;
...
And what is more important, the /usr/sbin/psad perl script
uses this variable and supports also rsyslogd. A part of
contents of /usr/sbin/psad follows:
...
if ($config{'SYSLOG_DAEMON'} eq 'syslogd') {
$syslog_conf = $config{'ETC_SYSLOG_CONF'};
} elsif ($config{'SYSLOG_DAEMON'} eq 'rsyslogd') {
$syslog_conf = $config{'ETC_RSYSLOG_CONF'};
}
...
We can see here, that the SYSLOG_DAEMON rsyslogd is
also supported and the correct path to its configuration
file is used.
I have confirmed this by running psad from the command line:
> psad
>
Everything was OK. After that, I moved rsyslog.conf so
that it couldn't be found by psad and psad didn't
start and returned an error:
> mv /etc/rsyslog.conf /etc/rsyslog.conf.saved
> psad
[*] No system logger config file could be found. at /usr/sbin/psad line
8920.
> mv /etc/rsyslog.conf.saved /etc/rsyslog.conf
The code which was used to exit psad in the previous example
is following (I can find it on the line 8920 of the psad
perl script):
...
die '[*] No system logger config file could be found.'
unless (-e $config{'ETC_SYSLOG_CONF'}
or -e $config{'ETC_RSYSLOG_CONF'}
or -e $config{'ETC_SYSLOGNG_CONF'}
or -e $config{'ETC_METALOG_CONF'});
...
I.e. we can see that psad has rsyslogd support and it's not
mentioned in the configuration file comment, which is also
the only (or the easy-to-find) documentation!!! I suggest
to add rsyslogd to the list of the supported syslog-type
servers.
2)
If we define the syslog-type server as rsyslogd and move
the /etc/rsyslog.conf file so that it cannot be found,
> mv /etc/rsyslog.conf /etc/syslog.conf
> psad
> mv /etc/syslog.conf /etc/rsyslog.conf
we get an email with the following subject from psad:
[psad-error] /etc/syslog.conf does not exist, check
SYSLOG_DAEMON setting
This message doesn't indicate that rsyslogd syslog daemon
isn't supported, as it can be seen in the /usr/sbin/psad
perl script, but that the email message is incorrect.
You can see that the /etc/syslog.conf exists, but
/etc/rsyslog.conf doesn't. Therefore rsyslog.conf
should be given in the email instead of syslog.conf.
This means that the following lines should be changed
in the /usr/sbin/psad script:
...
if ($config{'SYSLOG_DAEMON'} eq 'syslogd') {
$syslog_conf = $config{'ETC_SYSLOG_CONF'};
} elsif ($config{'SYSLOG_DAEMON'} eq 'rsyslogd') {
$syslog_conf = $config{'ETC_RSYSLOG_CONF'};
}
if ($syslog_conf) {
if (-e $syslog_conf) {
...
} else {
&send_mail("$config{'MAIL_ERROR_PREFIX'} " .
"$ETC_SYSLOG_CONF does not " .
"exist, check SYSLOG_DAEMON setting on
config{'HOSTNAME'}",
'', $config{'EMAIL_ADDRESSES'}, $cmds{'mail'});
}
...
And in the above lines, we should replace the $ETC_SYSLOG_CONF
variable in the send_mail function to $syslog_conf, i.e.:
...
&send_mail("$config{'MAIL_ERROR_PREFIX'} " .
"$syslog_conf does not "
"exist, check SYSLOG_DAEMON setting on
...
3)
Even if rsyslogd is installed and configured properly according
to psad(8), i.e. /etc/rsyslog.conf contains the line:
...
kern.info |/var/lib/psad/psadfifo
...
psad doesn't start if invoked using the startup script:
> /etc/init.d/psad start
ERR: Syslog has not been configured to send messages to
/var/lib/psad/psadfifo. Please configure it as described in psad(8).
The startup script /etc/init.d/psad should be changed so that it
supports also rsyslogd:
...
start() {
RUN=0
for conffile in /etc/syslog.conf /etc/syslog-ng/syslog-ng.conf; do
if [ -r $conffile ] && [ ! -z "`grep -v ^# $conffile |
grep psadfifo `" ] ;then
RUN=1
fi
done
...
if [ $RUN -eq 1 ]
then
...
else
echo "ERR: Syslog has not been configured to send messages to"
echo "/var/lib/psad/psadfifo. Please configure it as
described in psad(8)."
fi
}
...
/etc/rsyslog.conf should be added to the third line of the above part:
...
start() {
RUN=0
for conffile in /etc/syslog.conf /etc/rsyslog.conf
/etc/syslog-ng/syslog-ng.conf; do
This change adds the rsyslog support to the /etc/init.d/psad script,
but maybe a support for some more syslog-type logging daemons is needed.
Lukas
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
