Le 23/07/2010 02:51, Michael Rash a écrit :
On Jul 16, 2010, Lukas Baxa wrote:
[...]
There is _some_ support for rsyslogd. At line 9022 in psad-2.1.7, there
is a check that allows SYSLOG_DAEMON to be set to rsyslogd, and a check
for the config file is enabled based on the ETC_RSYSLOG_CONF variable.
Because syslogd and rsyslogd seem to behave fairly similarly w.r.t. how
named pipes are handled, I think this should be enough. If not, I'm
willing to test out a patch if one were to appear. :)
I did tag this bug as *wont fix* last time since I thought adding too much
support to rsyslogd is going to be difficult and backward. But, if you think we
can considered it fixed with psad 2.1.7, I can tag it as *resolved*. I have
upgraded the debian package in git with the latest release, but have not yet
uploaded it since I wanted to check a few other things in the packaging.
4)
However, I have one more question. Michael wrote:
Indeed, this is the most important factor. Lukas, have you set
ENABLE_SYSLOG_FILE to "N"? I would recommend against this as it
really isn't necessary per the above. Just point the IPT_SYSLOG_FILE
variable to whatever file your rsyslog daemon writes iptables log
messages to.
I haven't set ENABLE_SYSLOG_FILE to "N", it was set to "N" after
installation by default.
Did you upgrade from an older version of psad, and did you use the
"install.pl" script from the psad sources to do the upgrade? If so, then
the "N" setting would have been preserved from the older installation.
I sent a message to Lukas/BTS to explain that I thought it may have been caused
by an upgrade of the Debian package. I did not CC you Michael since according to
me this is a problem in Debian, and I did not want to bother you too much :p!
[...]
Both the init script and the man page psad(8) instructed me that
I should configure my syslog-type daemon to write all kern.info
messages to /var/lib/psad/psadfifo named pipe. The daemon kmsgsd
than filtered these messages and sent all iptables messages
to the file /var/log/psad/fwdata. I checked this behaviour
and it was really like this, as also described in the man page
psad(8).
Thanks for pointing this out. I will update the man page.
I wanted to patch the manpage and send it to you afterwards, but you are now
aware of it.
Do you have any idea why this behaviour differs from the behaviour
described by Franck? As I already said, I'm using the version 2.1.3-1.1
and I haven't changed the default of ENABLE_SYSLOG_FILE in psad.conf,
which is "N" by default.
I installed psad a few months ago without using it and I don't know
if there was any upgrade of psad since that time. Maybe there was
some upgrade, but the old config file was used. Do you think this
is possible? I'm not sure. But even my current man page psad(8)
and the init script /etc/init.d/psad in psad version 2.1.3-1.1
tell me that I should configure syslog properly (to send all kern.info
messages to /var/lib/psad/psadfifo named pipe).
Yes, I think the upgrade is most likely the reason.
Me too
Regards,
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
