On Aug 01, 2009, Gil Vidals wrote: > I need help in understanding what is going on with kmsgsd. Although rule > blocking seems to be working well, "ps waux | grep kmsgsd" doesn't show it > running. > > psad.conf relevant lines: > KMSGSD_PID_FILE $PSAD_RUN_DIR/kmsgsd.pid; > kmsgsdCmd /usr/sbin/kmsgsd; > > [r...@warsaw psad]# ps waux | grep psad > root 21153 0.0 1.6 121680 32968 ? Ss Jul30 0:31 > /usr/bin/perl -w /usr/sbin/psad > root 21155 0.0 0.0 3784 192 ? Ss Jul30 0:00 > /usr/sbin/psadwatchd > > [r...@warsaw psad]# psad --Version > [+] psad v2.1.5 (file revision: 2253)
By default, the ENABLE_SYSLOG_FILE variable is set to "Y", so in this case psad no longer requires kmsgsd in order to acquire iptables log data - it is just parsing your /var/log/messages file directly. There isn't really a compelling reason to have syslog write everything to a named pipe before psad gets to see it since parsing /var/log/messages directly is usually a better solution. If you disable ENABLE_SYSLOG_FILE, then psad will return to using kmsgsd. Thanks, --Mike > Gil Vidals / VMRacks.com > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > psad-discuss mailing list > psad-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/psad-discuss ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
