Date: Mon, 23 Jan 2012 15:51:51 -0500 From: Michael Scheidell <scheidell@freebsd.org> To: <ports@freebsd.org> Subject: help with swatch rc script Message-ID: <4F1DC867.4090700@freebsd.org>
next in thread | raw e-mail | index | archive | help
It seems that every time there is a solar flare, swatch status stops working. This means that service swatch stop won't work because it doesn't know its running, restart, nothing. I tracked it down, and it is the size of the swatch_x_flags line that causes the problem.. too small, and it won't work! example: simple swatch in rc: swatch_enable="YES" swatch_rules="1" swatch_1_flags="--config-file=/usr/local/etc/swatch-hackertrap.conf --tail-file=/var/log/eventlog --tail-args=-F --daemon --pid-file=/var/run/swatch_1.pid" swatch_1_pidfile="/var/run/swatch_1.pid" swatch_1_chdir="/var/tmp" (with/without swatch_1_pidfile, with/without swatch_w_chdir..) does't matter. service swatch status swatch is not running. atrium-ru.hackertrap.net# ps -auxww | grep swatch root 22182 0.0 0.7 28080 13812 ?? Is 12:26AM 0:00.00 /usr/local/bin/swatch --config-file=/usr/local/etc/swatch-hackertrap.conf --tail-file=/var/log/eventlog --tail-args=-F --daemon --pid-file=/var/run/swatch_1.pid (perl) root 22252 0.0 0.1 7884 1380 p1 S+ 12:31AM 0:00.00 grep swatch atrium-ru.hackertrap.net# cat /var/run/swatch_1.pid 22182 now, I can't blame the last person who touched files/swatch.in, because it was a previous pr I opened that added the procname to it. <http://www.freebsd.org/cgi/query-pr.cgi?pr=148893>; (before.. something happened..) it didn't work _without_ procname in rc script. The rc script itself is a little messy, and before I go to the maintainer with a pr, I would like to get it to work in all environments. (again, it ~seems~ to only work now if you have a very long swatch_flags line: doesn't matter if I use swatch_x_flags='ljljljlkjlk "ljljlkj " lk lj ' or " \" \" (doesn't matter if I use single or double quotes) multi line or single line. swatch_enable="YES" swatch_rules="1" swatch_1_flags='--config-file=/usr/local/etc/swatch-hackertrap.conf --tail-file="/var/log/eventlog /var/log/messages" \ --tail-args=-Fn0 --daemon --pid-file=/var/run/swatch_1.pid' ps -auxww | grep swatch root 22383 0.0 0.7 28080 13816 ?? Is 12:39AM 0:00.00 /usr/local/bin/swatch --config-file=/usr/local/etc/swatch-hackertrap.conf --tail-file=/var/log/eventlog /var/log/messages --tail-args=-Fn0 --daemon --pid-file=/var/run/swatch_1.pid (perl) its the length of the --tail-file, or the total length of the command line: THIS WORKS: swatch_enable="YES" swatch_rules="1" swatch_1_flags='--config-file=/usr/local/etc/swatch-hackertrap.conf \ --tail-file="/var/log/eventlog /var/log/messages /var/log/test1 /var/log/test2 /var/log/test3 /var/log/test4_but_add_a_humungious_long_file_to_put_it_past_some_buffer_and_it_finally_works" \ --tail-args=-Fn0 --daemon --pid-file=/var/run/swatch_1.pid' service swatch status swatch is running as pid 22595. atrium-ru.hackertrap.net# ps -auxww | grep swatch root 22595 0.0 0.7 28080 13812 ?? Is 12:45AM 0:00.00 /usr/local/bin/perl //.swatch_script.22591 root 22620 0.0 0.1 7884 1380 p1 S+ 12:47AM 0:00.00 grep swatch 0:00.00 /usr/local/bin/perl //.swatch_script.22591 -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F1DC867.4090700>