syslog-ng-users April 2011 archive
Main Archive Page > Month Archives  > syslog-ng-users archives
syslog-ng-users: Re: [syslog-ng] Question about syntax for sourc

Re: [syslog-ng] Question about syntax for source

From: Sandor Geller <Sandor.Geller_at_nospam>
Date: Fri Apr 08 2011 - 09:14:55 GMT
To: "Syslog-ng users' and developers' mailing list" <syslog-ng@lists.balabit.hu>

Hello Bazsi,

On Fri, Apr 8, 2011 at 12:36 AM, Balazs Scheidler <bazsi@balabit.hu> wrote:
> On Mon, 2011-04-04 at 12:18 +0200, Sandor Geller wrote:
>> Hello,
>>
>> On Sun, Apr 3, 2011 at 9:02 PM, Gergely Nagy <algernon@balabit.hu> wrote:
>> > Phusion <phusion2k@gmail.com> writes:
>> >
>> >> When trying to convert this for syslog-ng 3.x under OpenBSD. I have an
>> >> error. When I use syslog-ng -s -f ../syslog-ng.conf it works, but when
>> >> I run syslog-ng -p /var/run/syslog-ng.pid, I get the following error.
>> >>
>> >> # /usr/local/sbin/syslog-ng -p /var/run/syslog-ng.pid
>> >> WARNING: you are using the pipe driver, underlying file is not a FIFO,
>> >> it should be used by file(); filename='/dev/klog'
>> >
>> > The warning pretty much tells you what to do, and why: change pipe() to
>> > file(), because /dev/klog appears to be something else than your common
>> > pipe.
>>
>> This warning is misleading. As reported a while ago using file() for
>> anything else than non-regular files could lead to severe problems.
>>
>> > In syslog-ng 2.x, things worked a bit differently (the details escape
>> > me, I'm afraid), which changed in 3.x, and thus, the warning is printed.
>> >
>> >> Here is the current source line using syslog-ng 3.0 under OpenBSD 4.8.
>> >>
>> >> source local { internal(); pipe("/dev/klog" program_override("kernel:
>> >> ")); unix-dgram("/dev/log"); };
>> >
>> > Change it to something like this:
>> >
>> > source local {
>> > internal();
>> > file("/dev/klog" program_override("kernel: "));
>> > unix-dgram("/dev/log");
>> > };
>>
>> Don't do this. Commit 61940d18c205d36cb7dd0b30dba741cc8459e2ac fixed
>> the underlying problem in the 3.2 branch. When a new version will get
>> released then the warning would remain but at least syslog-ng would
>> actually check that the source is a regular file and assume
>> readability only in this case, otherwise it will poll() the source
>> which is the wanted behaviour for character devices and pipes.
>
> But If I remember correctly, that only affected 3.2, right?

In 3.0.8 using pipe() on a non-fifo source or using file() on a fifo
source was a fatal error. In 3.1.3 the errors were downgraded to
warnings, 3.2 behaves more or less the same. I haven't checked 3.3
yet.

In 3.2 git there is an additional check so LW_ALWAYS_WRITABLE is set
only for regular file destinations which fixes the blocking write
problem reported on the list a while ago but there is still a warning
which could get suppressed. I think pipe should be the preferred
driver for anything else than regular files, an extra poll() won't
hurt. What do you think about this patch?

--- affile.c 2011-02-13 14:34:38.000000000 +0100
+++ affile.c-new 2011-04-08 11:13:52.000000000 +0200
@@ -46,6 +46,7 @@
 {
   cap_t saved_caps;
   struct stat st;
+ gboolean is_regular;

   if (strstr(name, "../") || strstr(name, "/.."))
     {
@@ -75,20 +76,21 @@
   *fd = -1;
   if (stat(name, &st) >= 0)
     {
- if (is_pipe && !S_ISFIFO(st.st_mode))
+ is_regular = !!S_ISREG(st.st_mode);
+ if (!is_pipe && !is_regular)
         {
- msg_warning("WARNING: you are using the pipe driver,
underlying file is not a FIFO, it should be used by file()",
+ msg_warning("WARNING: you are using the file driver,
underlying file is not a regular file, it should be used by pipe()",
                     evt_tag_str("filename", name),
                     NULL);
         }
- else if (!is_pipe && S_ISFIFO(st.st_mode))
+ else if (is_pipe && is_regular)
         {
- msg_warning("WARNING: you are using the file driver,
underlying file is a FIFO, it should be used by pipe()",
+ msg_warning("WARNING: you are using the pipe driver,
underlying file is a regular file, it should be used by file()",
                       evt_tag_str("filename", name),
                       NULL);
         }
       if (regular)
- *regular = !!S_ISREG(st.st_mode);
+ *regular = is_regular;
     }
   else if (regular)
     *regular = TRUE;

Regards,

Sandor
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html