Re: strange syslogd behaviour
Is 'tabs only' really necessary? Why are spaces bad? pf for example does not seem to care if I use spaces or tabs. because syslog.conf is a format from the nearly 40 years ago...
strange syslogd behaviour
Hi, I have a pair of firewalls with identical syslog.conf files. Nothing special, just removed all the comments, and added a few lines for npppd log redirection: # $OpenBSD: syslog.conf,v 1.17 2005/05/25 07:35:38 david Exp $ # npppd by pacija !!npppd *.* /var/log/npppd !* *.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages kern.debug;syslog,user.info /var/log/messages auth.info /var/log/authlog authpriv.debug /var/log/secure cron.info /var/cron/log daemon.info /var/log/daemon ftp.info/var/log/xferlog lpr.debug /var/log/lpd-errs mail.info /var/log/maillog *.emerg * If I rsync syslog.conf from one firewall to another and restart syslogd, everything works as expected. However, if I list file contents with cat in ssh session on one firewall and paste it in vi in ssh session on another one, although I get expected terminal output: pacija@nat2:~ $ sudo /etc/rc.d/syslogd restart syslogd(ok) syslogd(ok) Only syslogd exiting (and not consequent start) is logged: May 3 00:36:57 nat2 syslogd: exiting on signal 15 After this syslogd is shown as running but nothing gets logged to messages, authlog etc. pacija@nat2:~ $ ps ax | grep syslog 27166 ?? Ss 0:00.01 syslogd: [priv] (syslogd) 2840 ?? S 0:00.00 /usr/sbin/syslogd 29084 p0 R+ 0:00.00 grep syslog Is this just my system or someone can reproduce this? What could be the reason for this? Thank you in advance, -- Marko Cupać https://www.mimar.rs
Re: strange syslogd behaviour
On Sat, May 2, 2015 at 3:55 PM, Marko Cupać marko.cu...@mimar.rs wrote: I have a pair of firewalls with identical syslog.conf files. Nothing special, just removed all the comments, and added a few lines for npppd log redirection: ... If I rsync syslog.conf from one firewall to another and restart syslogd, everything works as expected. However, if I list file contents with cat in ssh session on one firewall and paste it in vi in ssh session on another one, although I get expected terminal output: ... Only syslogd exiting (and not consequent start) is logged: May 3 00:36:57 nat2 syslogd: exiting on signal 15 After this syslogd is shown as running but nothing gets logged to messages, authlog etc. ... Is this just my system or someone can reproduce this? What could be the reason for this? So the results for a file scp'ed differs from one copy-n-pasted. Did you consider using diff on the resulting files to see how they differed? The syntax of syslog.conf treats tabs differently than spaces. When you cat, then copy and paste, you're almost certainly converting the tabs to spaces. Or it could be something completely different that diff will reveal. Philip Guenther
Re: strange syslogd behaviour
On Sat, 2 May 2015 16:03:51 -0700 Philip Guenther guent...@gmail.com wrote: On Sat, May 2, 2015 at 3:55 PM, Marko Cupać marko.cu...@mimar.rs wrote: I have a pair of firewalls with identical syslog.conf files. Nothing special, just removed all the comments, and added a few lines for npppd log redirection: ... If I rsync syslog.conf from one firewall to another and restart syslogd, everything works as expected. However, if I list file contents with cat in ssh session on one firewall and paste it in vi in ssh session on another one, although I get expected terminal output: ... Only syslogd exiting (and not consequent start) is logged: May 3 00:36:57 nat2 syslogd: exiting on signal 15 After this syslogd is shown as running but nothing gets logged to messages, authlog etc. ... Is this just my system or someone can reproduce this? What could be the reason for this? So the results for a file scp'ed differs from one copy-n-pasted. Did you consider using diff on the resulting files to see how they differed? The syntax of syslog.conf treats tabs differently than spaces. When you cat, then copy and paste, you're almost certainly converting the tabs to spaces. Or it could be something completely different that diff will reveal. Philip Guenther Hi Philip, thank you for looking into it. Here's the diff: pacija@nat2:~ $ diff -u syslog.conf syslog.conf.copy --- syslog.conf Sun May 3 01:05:33 2015 +++ syslog.conf.copySun May 3 01:06:03 2015 @@ -1,15 +1,15 @@ -# $OpenBSD: syslog.conf,v 1.17 2005/05/25 07:35:38 david Exp $ +# $OpenBSD: syslog.conf,v 1.17 2005/05/25 07:35:38 david Exp $ # npppd by pacija !!npppd -*.*/var/log/npppd +*.* /var/log/npppd !* -*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages -kern.debug;syslog,user.info/var/log/messages -auth.info /var/log/authlog -authpriv.debug /var/log/secure -cron.info /var/cron/log -daemon.info/var/log/daemon -ftp.info /var/log/xferlog -lpr.debug /var/log/lpd-errs -mail.info /var/log/maillog -*.emerg* +*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages +kern.debug;syslog,user.info /var/log/messages +auth.info /var/log/authlog +authpriv.debug /var/log/secure +cron.info /var/cron/log +daemon.info /var/log/daemon +ftp.info/var/log/xferlog +lpr.debug /var/log/lpd-errs +mail.info /var/log/maillog +*.emerg * So, clearly there are differences (probably tabs and spaces as you say). I see in syslog.conf man page that The selector field is separated from the action field by one or more tab characters. Spaces aren't mentioned. So, while I agree I should read man page and respect instruction about tabs, it appears it is quite easy to make a mistake and end up with system that does not log, without obvious reason. Is 'tabs only' really necessary? Why are spaces bad? pf for example does not seem to care if I use spaces or tabs. Also, wouldn't it be good to have a mechanism to parse conf file and warn that no logging will be done instead of just throw 'syslogd (ok)' and quit all the logging? Regards, -- Marko Cupać https://www.mimar.rs
Re: strange syslogd behaviour
On Sat, May 2, 2015 at 4:26 PM, Marko Cupać marko.cu...@mimar.rs wrote: On Sat, 2 May 2015 16:03:51 -0700 ... So, while I agree I should read man page and respect instruction about tabs, it appears it is quite easy to make a mistake and end up with system that does not log, without obvious reason. Is 'tabs only' really necessary? Why are spaces bad? pf for example does not seem to care if I use spaces or tabs. Time to brush up on your study of both history and syntax. The syslog.conf format on OpenBSD is backward compatible with the original BSD syslogd. So far the developers haven't felt a need to break that backward compatibility when adding new features (the '!' and '!!' lines), so no one has had to rewrite their syslog.conf during upgrades. OpenBSD isn't afraid of requiring config rewrites (c.f. pf.conf changes) but the benefits have to balance the imposed costs. Forcing everyone to rewrite their syslog.conf just to change whether spaces and tabs are treated the same would be pretty gratuitous, IMO. As for the syntax, with the current format you cannot treat spaces and tabs the same: currently spaces are permitted between token in the selector list. e.g.: kern.debug; syslog,user.info /var/log/messages If spaces and tabs were treated the same that would be interpreted differently. Don't think that's worth it? Hop in your time-machine and go back and convince Eric Allman to treat spaces and tabs the same, preferably both here and in the sendmail.cf format. Also, wouldn't it be good to have a mechanism to parse conf file and warn that no logging will be done instead of just throw 'syslogd (ok)' and quit all the logging? Yeah, that sounds like a nice feature. We look forward to your patch to add that. ;-) Philip Guenther