Firewall Wizards mailing list archives
working on a new syslogd.
From: Darren Reed <avalon () coombs anu edu au>
Date: Fri, 3 Jul 1998 04:08:41 +1000
Over the past few months, I've spent some time (increasingly less recently:-() on writing a new syslogd. I'm at a point where I've made a large amount of progress but before committing to doing things the way they are, I'd like to invite others to review it. The basis for this rewrite is that the current one (even with hacks in freebsd, openbsd, and elsewhere) is not really able to deliver what we need today - especially in firewalls. One of the features I'd like to add, but am in a dither about how to finalise, is adding a hash log for checking the current log file against to detect unachanges (not prevent them). This is all well and good, except that the interaction over TCP for remote logging needs more work for setting up the connection, ensuring both ends are using the same hash algorithms, etc. At this point, one might assume the position of not worrying about this and implement something just for syslogd, but I don't see that as being a win in the long run. I should add that at least one implementation of this technology is patent pending (see Schneier's paper from Usenix Security '98). A goal here has been to avoid crypto. (not worried if message contents are secret or not as integrity is what's important) so that silly governments don't need to worry about whether this is going in or out of their countries. I was hoping to have cleaned up the code a bit more before sending a public email, but that was not to be. Anyway, if you'd like to peruse the source code, it can be retrieved from: ftp://coombs.anu.edu.au/pub/net/misc/nsyslogd.tar.gz A brief on some of the changes is included below. Cheers, Darren New Syslogd. ------------ This new "syslogd" has been built to recognise the old format syslog.conf files as well as a new format. The new format has 5 basic lines: - comment - source specification - filter specification - destination specification - log specification This implementation of syslogd uses the following paradigm: a message will arrive from a source, may be put through a number of various filters and will be delivered to a destination. The filtering selects whether or not to let the message proceed to be delivered. Comments are marked by the #. A source is defined thus: source src { file /dev/klog; unix /dev/log; udp 0.0.0.0,514; }; This defines a single source of messages "src" to consist of three parts: a file named /dev/klog, a unix domain socket /dev/log and a UDP port at port number 514. Any syslog message detected on one of those sources is considered to be coming from "src". It is possible to use the same source of messages, more than once, in a single configuration. Thus you might have: source src { file /dev/klog; unix /dev/log; udp 0.0.0.0,514; }; source skern { file /dev/klog; }; where src groups a message as being from any one of its 3 constituents and skern only cares about messages from /dev/klog. For those who are concerned, each is only opened once and common references are made. Likewise, filters and destinations can be setup with common parts or each being distinct on its own. This document doesn't attempt to (yet anyway) describe all the available options. In specifying a log action, at least a source and destination may be givern and optionally, one or more filters. Thus if I had: destniation klog { file /var/log/kern; }; log { source skern; destination klog; }; in combination with the above examples, all messages from /dev/klog would get logged to /var/log/kern regardless of their content/priority/facility. If we wanted to log all errors to /var/adm/messages, we might use the above with: destination errs { file /var/log/messages; }; filter errors { priority err; }; log { source src; filter errors; destination errs; }; If I also wanted to *include* all authentication syslog messages in the file errs, I might use: filter authm { facility auth; }; log { source src; filter errors; filter authm; destination errs; }; but if I was only interested in auth messages from login, I might have: filter login { match-prog login; }; log { source src; filter errors; filter authm,login; destination errs; }; or as: filter authm { facility auth; match-prog login; }; log { source src; filter errors; filter authm; destination errs; }; For destinations which are files, it is possible to adjust the sync rate at which fsync() is called. By changing errs to the below, it will call fsync() after every thirthieth message has been save to /var/log/messages: destination errs { file /var/log/messages; sync 30; };
Current thread:
- working on a new syslogd. Darren Reed (Jul 02)
- Re: working on a new syslogd. Aleph One (Jul 03)
- Re: working on a new syslogd. Darren Reed (Jul 19)
- Re: working on a new syslogd. Ivan Arce,CORE SDI (Jul 21)
- Re: working on a new syslogd. Darren Reed (Jul 19)
- Re: working on a new syslogd. Doug Hughes (Jul 03)
- Re: working on a new syslogd. Bennett Todd (Jul 07)
- Re: working on a new syslogd. Hubert Weikert (Jul 08)
- Re: working on a new syslogd. Darren Reed (Jul 19)
- Re: working on a new syslogd. Ivan Arce,CORE SDI (Jul 21)
- Re: working on a new syslogd. Hubert Weikert (Jul 08)
- Re: working on a new syslogd. Aleph One (Jul 03)
- <Possible follow-ups>
- Re: working on a new syslogd. ark (Jul 07)
- Re: working on a new syslogd. ark (Jul 20)