Date: Tue, 31 Jul 2012 18:45:44 GMT From: Christoph Weber-Fahr <cwf-ml@arcor.de> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/170299: syslog-ng sample config does not work the way it claims to Message-ID: <201207311845.q6VIjiUu044259@red.freebsd.org> Resent-Message-ID: <201207311850.q6VIo60B066449@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 170299
>Category: ports
>Synopsis: syslog-ng sample config does not work the way it claims to
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Jul 31 18:50:06 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Christoph Weber-Fahr
>Release: FreeBSD 8.2-RELEASE i386
>Organization:
Vodafone
>Environment:
FreeBSD xxx.xxx.xx 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Feb 18 02:24:46 UTC 2011 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
syslog-ng is a replacement for the BSD's syslog daemon with a few nifty security features.
Among the files it installs is a sample config, presumable tro be used as a template to build your configfrom.
The sample config claims to be an exact equivalent of FreeBSD's /etc/syslog.conf as distributed with the system. Unfortunately, this claim rests on erroneous understanding of syslog-ng's configuration language. The sample config is not only defective but actually misleads the user into false assumptions about syslog-ngs config semantic.
Here is the worst offender. The following block handles /var/log/messages. The filters used are all predefined elsewhere and essentially do what you would expect them to do based on their name. The commented header line displays the syslog.conf line it is supposed to replace.
# ---------------
# *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
#
log { source(src); filter(f_notice); filter(f_not_authpriv); destination(messages); };
log { source(src); filter(f_kern); filter(f_debug); destination(messages); };
log { source(src); filter(f_lpr); filter(f_info); destination(messages); };
log { source(src); filter(f_mail); filter(f_crit); destination(messages); };
log { source(src); filter(f_news); filter(f_err); destination(messages); };
# ---------------
The problem here is that filters in a log statement are combined by AND, while consecutive log statements are essentially additive.
The original syslogd, on the other hand, allows consecutive statements to modify their preceding, more general statements.
The original line, for instance, meant "all lines notice-and-above, except authpriv, and also except any mail lines below crit and news lines below err. Furthermore everything from kern and info-and-above from lpr. ).
In the syslog-ng syntax, this is not reproduced. the nog statements for mail and news are NOPs.
A similar problem exists with the /dev/console block.
>How-To-Repeat:
install syslog-ng
move /usr/local/etc/syslog-ng.conf.sample to /usr/local/etc/syslog-ng.conf
activate syslog-ng in /etc/rc.conf
deactivate system syslogd and start syslog-ng
test classes like mail.err or news.warning via logger(1)
>Fix:
There is no way in syslog-ng to work with simple atomar filters and combine them in a sequence of log lines to emulate the syslog.conf mechanism, as the author tries. You have to employ more complex filters.
I give an example. I assume the predefined atomar filters in the sample file are still there:
# -------------
filter f_msgntc { level(notice..emerg)
and not facility(authpriv)
and not (facility(mail) and level(notice..err))
and not (facility(news) and level(notice..warning))
; };
#
log { source(src); filter(f_msgntc); destination(messages); };
log { source(src); filter(f_kern); filter(f_debug); destination(messages); };
log { source(src); filter(f_lpr); filter(f_info); destination(messages); };
# -------------
You also need to use a similar fix with the /dev/console block
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201207311845.q6VIjiUu044259>