Re: sylogd, klogd and syslog replacements (was: RE: [Cooker]imap-2001a-7mdk.src.rpm)
Borsenkow Andrej [EMAIL PROTECTED] writes: You'd need to work with priorities then, the precedence of the default sysklogd without mysql would have to be higher, and only have it if the user requests it. There are other things thatyou might need to take care of as well such as rebooting from a bad system where you might not have a /usr or a network. there is one problem (syslog-ng hits this as well). Currently both klogd and syslogd are bundled in one package - sysklogd. You may want to replace syslog - but you definitely do not want to replace klogd. So if sysklogd maintainer would agree to split sysklogd into two packages - klogd proper and syslogd proper it would make syslogd replacements much easier. And I would immediately release syslog-ng that I have been using here for some time now without a single problem (except stupid administrator :-) I mean, with proper config and logrotate configuration that currently conflicts with syslogd logrotate. Well, I am not against, as long as this does not change the classic syslog/klog program. -- Warly
Re: sylogd, klogd and syslog replacements (was: RE: [Cooker] imap-2001a-7mdk.src.rpm)
Borsenkow Andrej [EMAIL PROTECTED] writes: btw do you know if there's anything that would be needed to change if syslog-ng were to become a real drop-in replacement for syslogd? [...] 4. Add syslog-ng support to msec. The reason for a split is, logrotate for syslogd and syslog-ng refer to the same files which means logs are rotated twice. What I had in mind is to make syslog-ng conflict with syslogd. Alternative is (assuming syslog-ng is adopted) to just check which one is currently running and prime it. Fredl, do you have any plans to add support for external modules? It would be ideal case - syslog-ng comes with own msec module to avoid rewriting it every time. No I don't want to do that. I prefer to have a central point for all security related stuff. -- Fred - May the source be with you
RE: sylogd, klogd and syslog replacements (was: RE: [Cooker] imap-2001a-7mdk.src.rpm)
http://www.mandrake.com/en/archives/cooker/2002-05/msg01166.php Oh yes, I read about that one. My personal opinion is that (as with anything fancy) that it is very nice, but it's a very big fancy candy add-on that you are adding to a basesystem tool ... BTW if you look in syslog-ng archives you'll see an example of SQL connector using pipes. Nothing very special is needed for it: destination d_mysql {pipe(/etc/mysql.pipe template(INSERT INTO logs(host, facility, priority, level, tag, date, time, program, msg) VALUES('$HOST', '$FACILILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY', $HOUR:$MIN:$SEC', '$PROGRAM', $MSG');\n) template-escape(yes)); }; just have something on other end linstening. cool is not it? -andrej
Re: sylogd, klogd and syslog replacements (was: RE: [Cooker] imap-2001a-7mdk.src.rpm)
On Monday 27 May 2002 07.15, Borsenkow Andrej wrote: http://www.mandrake.com/en/archives/cooker/2002-05/msg01166.php Oh yes, I read about that one. My personal opinion is that (as with anything fancy) that it is very nice, but it's a very big fancy candy add-on that you are adding to a basesystem tool ... True, true You'd need to work with priorities then, the precedence of the default sysklogd without mysql would have to be higher, and only have it if the user requests it. There are other things thatyou might need to take care of as well such as rebooting from a bad system where you might not have a /usr or a network. there is one problem (syslog-ng hits this as well). Currently both klogd and syslogd are bundled in one package - sysklogd. You may want to replace syslog - but you definitely do not want to replace klogd. No, you didn't read my mail. My changes does not replace anything, check: http://d-srv.com/Cooker/SRPMS/sysklogd-1.4.1-3mdk.src.rpm, and http://www.mandrake.com/en/archives/cooker/2002-05/msg01166.php I agree it would be a good idea to break out klogd. So if sysklogd maintainer would agree to split sysklogd into two packages - klogd proper and syslogd proper it would make syslogd replacements much easier. And I would immediately release syslog-ng that I have been using here for some time now without a single problem (except stupid administrator :-) I mean, with proper config and logrotate configuration that currently conflicts with syslogd logrotate. Great! But as I understand there's many other syslog replacements, the one that comes to my mind is for example http://smarden.org/socklog/ I have run klogd superviced too:) Well, sorry, I know ucspi-tcp and daemontools are not in the distro (yet), but I can dream, can't I? -- Regards // Oden Eriksson
Re: sylogd, klogd and syslog replacements (was: RE: [Cooker] imap-2001a-7mdk.src.rpm)
VALUES('$HOST', '$FACILILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY', $HOUR:$MIN:$SEC', '$PROGRAM', $MSG');\n) template-escape(yes)); }; just have something on other end linstening. cool is not it? Yes, it's really nice! My initial comment on Oden's changes was that I did like the idea if we made syslogd depend on mysql so much that inside the distrib that using a non-sql syslogd would not be a viable alternative, otherwise I really don't have a problem with it. :-) btw do you know if there's anything that would be needed to change if syslog-ng were to become a real drop-in replacement for syslogd? And the sysklogd maintainer is Warly. you can ask him for the final decision :-) -- Geoff.
RE: sylogd, klogd and syslog replacements (was: RE: [Cooker] imap-2001a-7mdk.src.rpm)
btw do you know if there's anything that would be needed to change if syslog-ng were to become a real drop-in replacement for syslogd? 1. Fix syslog-ng config (apart from stupid formatting bug /dev/log seems to be DGRAM not STREAM contrary to syslog-ng readme). 2. Add proper logrotate to syslog-ng 3. Split sysklogd into klogd and syslogd proper so that you could replace syslogd part with alternative implementation. You can run syslog-ng without klogd but then you need /proc/kmsg i.e. it won't work if /proc is not mounted. 4. Add syslog-ng support to msec. The reason for a split is, logrotate for syslogd and syslog-ng refer to the same files which means logs are rotated twice. What I had in mind is to make syslog-ng conflict with syslogd. Alternative is (assuming syslog-ng is adopted) to just check which one is currently running and prime it. Fredl, do you have any plans to add support for external modules? It would be ideal case - syslog-ng comes with own msec module to avoid rewriting it every time. Currently I have fixed RPM (based on syslog-ng 1.5.17); if there is any interest I can upload it but I do not know what to do with sources - one file is defined as extra source and AFAIK sources are not entered in CVS when I upload RPM? Also it does not contain logrotate support for above reasons. And the sysklogd maintainer is Warly. you can ask him for the final decision :-) So far syslog-ng seems to work here and it allows _far_ better control over where your logs go. It has some problems in interaction with klogd but I bet it is solvable. -andrej
sylogd, klogd and syslog replacements (was: RE: [Cooker] imap-2001a-7mdk.src.rpm)
http://www.mandrake.com/en/archives/cooker/2002-05/msg01166.php Oh yes, I read about that one. My personal opinion is that (as with anything fancy) that it is very nice, but it's a very big fancy candy add-on that you are adding to a basesystem tool ... True, true You'd need to work with priorities then, the precedence of the default sysklogd without mysql would have to be higher, and only have it if the user requests it. There are other things thatyou might need to take care of as well such as rebooting from a bad system where you might not have a /usr or a network. there is one problem (syslog-ng hits this as well). Currently both klogd and syslogd are bundled in one package - sysklogd. You may want to replace syslog - but you definitely do not want to replace klogd. So if sysklogd maintainer would agree to split sysklogd into two packages - klogd proper and syslogd proper it would make syslogd replacements much easier. And I would immediately release syslog-ng that I have been using here for some time now without a single problem (except stupid administrator :-) I mean, with proper config and logrotate configuration that currently conflicts with syslogd logrotate. -andrej