Hello,
A colleague just finished migrating the last bits from our syslog-ng log
centralized server to our new rsyslog server.
In one case (actually a relatively important one, which has turned into
a big problem), we were using the syslog-ng program() log destination.
The syslog-ng docs describe it thusly:
"This driver executes the specified program with the specified arguments
and sends messages to the standard input (stdin) of the child. The
program() driver has a single required parameter, specifying a program
name to start. The program is executed with the help of the current
shell, so the command may include both file patterns and I/O
redirection, they will be processed. [...] Version 1.6 of syslog-ng
executed the program once at startup, and kept it running until SIGHUP
or exit. The reason was to prevent starting up a large number of
programs for messages, which would have enabled an easy DoS attack.
Versions 2.0 and later restart the program if it exits for reliability
reasons. However it is not recommended to launch programs for single
messages as that might easily cause a DoS for the system."
Attention is drawn to the last few sentences. syslog-ng passes all
matching log lines to STDIN of the program, and *leaves* the program
running indefinitely (well, until syslog-ng gets a HUP or exits). It
also restarts the child if it has died.
$coworker translated this to a "^" action in rsyslog - the implications
of this are pretty obvious, and even more troublesome if you know that
the program being executed is a PHP script which does a whole bunch of
string parsing and then sends the result to a MS SQL database.
So... I haven't found anything in the docs, but I just wanted to confirm
that rsyslog doesn't have an action or output module that replicates
this functionality. Assuming that is the case (no directly comparable
feature), what are your suggestions for an interim fix (our MS SQL DBA
is on vacation for a week, so I need to hold off on doing
omlibdbi/Ms-Sql until he gets back)? Try to get the PHP script running
as a daemon, log to named pipe, have script read named pipe?
Thanks for any advice/suggestions,
Jason
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
