From owner-freebsd-ports-bugs@FreeBSD.ORG Tue Jul 31 18:50:07 2012 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 549EC106566B for ; Tue, 31 Jul 2012 18:50:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 255E08FC21 for ; Tue, 31 Jul 2012 18:50:07 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q6VIo6CZ066450 for ; Tue, 31 Jul 2012 18:50:07 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q6VIo60B066449; Tue, 31 Jul 2012 18:50:06 GMT (envelope-from gnats) Resent-Date: Tue, 31 Jul 2012 18:50:06 GMT Resent-Message-Id: <201207311850.q6VIo60B066449@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Christoph Weber-Fahr Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0A166106566B for ; Tue, 31 Jul 2012 18:45:45 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id E7F3C8FC0A for ; Tue, 31 Jul 2012 18:45:44 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q6VIjieG044265 for ; Tue, 31 Jul 2012 18:45:44 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id q6VIjiUu044259; Tue, 31 Jul 2012 18:45:44 GMT (envelope-from nobody) Message-Id: <201207311845.q6VIjiUu044259@red.freebsd.org> Date: Tue, 31 Jul 2012 18:45:44 GMT From: Christoph Weber-Fahr To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: ports/170299: syslog-ng sample config does not work the way it claims to X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Jul 2012 18:50:07 -0000 >Number: 170299 >Category: ports >Synopsis: syslog-ng sample config does not work the way it claims to >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jul 31 18:50:06 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Christoph Weber-Fahr >Release: FreeBSD 8.2-RELEASE i386 >Organization: Vodafone >Environment: FreeBSD xxx.xxx.xx 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Feb 18 02:24:46 UTC 2011 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 >Description: syslog-ng is a replacement for the BSD's syslog daemon with a few nifty security features. Among the files it installs is a sample config, presumable tro be used as a template to build your configfrom. The sample config claims to be an exact equivalent of FreeBSD's /etc/syslog.conf as distributed with the system. Unfortunately, this claim rests on erroneous understanding of syslog-ng's configuration language. The sample config is not only defective but actually misleads the user into false assumptions about syslog-ngs config semantic. Here is the worst offender. The following block handles /var/log/messages. The filters used are all predefined elsewhere and essentially do what you would expect them to do based on their name. The commented header line displays the syslog.conf line it is supposed to replace. # --------------- # *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages # log { source(src); filter(f_notice); filter(f_not_authpriv); destination(messages); }; log { source(src); filter(f_kern); filter(f_debug); destination(messages); }; log { source(src); filter(f_lpr); filter(f_info); destination(messages); }; log { source(src); filter(f_mail); filter(f_crit); destination(messages); }; log { source(src); filter(f_news); filter(f_err); destination(messages); }; # --------------- The problem here is that filters in a log statement are combined by AND, while consecutive log statements are essentially additive. The original syslogd, on the other hand, allows consecutive statements to modify their preceding, more general statements. The original line, for instance, meant "all lines notice-and-above, except authpriv, and also except any mail lines below crit and news lines below err. Furthermore everything from kern and info-and-above from lpr. ). In the syslog-ng syntax, this is not reproduced. the nog statements for mail and news are NOPs. A similar problem exists with the /dev/console block. >How-To-Repeat: install syslog-ng move /usr/local/etc/syslog-ng.conf.sample to /usr/local/etc/syslog-ng.conf activate syslog-ng in /etc/rc.conf deactivate system syslogd and start syslog-ng test classes like mail.err or news.warning via logger(1) >Fix: There is no way in syslog-ng to work with simple atomar filters and combine them in a sequence of log lines to emulate the syslog.conf mechanism, as the author tries. You have to employ more complex filters. I give an example. I assume the predefined atomar filters in the sample file are still there: # ------------- filter f_msgntc { level(notice..emerg) and not facility(authpriv) and not (facility(mail) and level(notice..err)) and not (facility(news) and level(notice..warning)) ; }; # log { source(src); filter(f_msgntc); destination(messages); }; log { source(src); filter(f_kern); filter(f_debug); destination(messages); }; log { source(src); filter(f_lpr); filter(f_info); destination(messages); }; # ------------- You also need to use a similar fix with the /dev/console block >Release-Note: >Audit-Trail: >Unformatted: