On Fri, Jul 16, 2010 at 08:51:29PM +0200, Lukas Baxa wrote: > Hi, Hi,
> I should also apologize for the delay, I was on holidays. :p! > 4) > However, I have one more question. Michael wrote: > > Indeed, this is the most important factor. Lukas, have you set > > ENABLE_SYSLOG_FILE to "N"? I would recommend against this as it > > really isn't necessary per the above. Just point the IPT_SYSLOG_FILE > > variable to whatever file your rsyslog daemon writes iptables log > > messages to. > > I haven't set ENABLE_SYSLOG_FILE to "N", it was set to "N" after > installation by default. Franck explained that from version 2.1.3 > kmsgsd isn't needed by default, because the default behaviour > is to parse messages directly from IPT_SYSLOG_FILE (/var/log/messages > by default). However, this isn't the case of my psad, even if I'm > using the version 2.1.3-1.1 (the original version from the lenny stable > release) and I haven't changed the default behaviour of psad. As a matter of fact I just unpacked 2.1.3-1.1, and looking at the psad.conf shipped, ENABLE_SYSLOG_FILE is set to Y. I think the change may be due to the upgrade of the package when the user is asked what to do when there are differences between the maintainer and user files. I do not see any reason for your settings. But now (psad 2.1.6), you can avoid this problem with the new override-config command line argument. > Both the init script and the man page psad(8) instructed me that > I should configure my syslog-type daemon to write all kern.info > messages to /var/lib/psad/psadfifo named pipe. The daemon kmsgsd > than filtered these messages and sent all iptables messages > to the file /var/log/psad/fwdata. I checked this behaviour > and it was really like this, as also described in the man page > psad(8). You are right, this is still mentionned in the manpage. It looks like this should be removed, ot at least updated to match the current behaviour of psad. > Do you have any idea why this behaviour differs from the behaviour > described by Franck? As I already said, I'm using the version 2.1.3-1.1 > and I haven't changed the default of ENABLE_SYSLOG_FILE in psad.conf, > which is "N" by default. As I said above, I think the problem occured during the upgrade of the package. I do not see any other reason :( > I installed psad a few months ago without using it and I don't know > if there was any upgrade of psad since that time. Maybe there was > some upgrade, but the old config file was used. Do you think this > is possible? I'm not sure. But even my current man page psad(8) > and the init script /etc/init.d/psad in psad version 2.1.3-1.1 > tell me that I should configure syslog properly (to send all kern.info > messages to /var/lib/psad/psadfifo named pipe). I took a look at psad Debian changelog, and I noticed there were two releases of psad in June 2008. I do not have more clues about what was going on. Regards, -- Franck Joncourt
signature.asc
Description: Digital signature
