syslog-ng and iptables logs
T_B at sympatico.ca
Thu Feb 17 18:46:30 PST 2005
Today I was experimenting with trying to have syslog-ng capture logs
generated by iptables. Basic syslog-ng.conf file did not seem to allow
this. I tried setting the iptables --log-level to alert in hopes the
messages would get logged to alert.log, but nothing.
Then I noticed that when syslog-ng starts the following error message
appears in message.log and syslog.log:
io.c: do_read: read() failed (errno 1), Operation not permitted
After a bit of googling, I found that this occurs because pipe("/proc/kmsg")
appears as a listed source in /etc/syslog-ng.conf, /proc/kmsg has
permissions 400 and is owned by root. Therefore, read access to it when
syslog-ng is running as user syslog is not permitted.
If one removes pipe("/proc/kmsg") from the list of sources, then the error
message goes away. But this doesn't solve the problem of getting iptables
messages as I suspect they originate from the kernel through /proc/kmsg. As
an alternative, if syslog-ng is run as root, the error message goes away. A
side benefit of this is that one now gets kern log messages (e.g. iptables
I realize that it is preferred to run syslog-ng as a non-priveleged user
such as syslog. Does anyone know of a way to get kernel log messages
without running as root?
More information about the hlfs-dev