syslog-ng and iptables logs

T_B T_B at sympatico.ca
Thu Feb 17 18:46:30 PST 2005


Today I was experimenting with trying to have syslog-ng capture logs
generated by iptables.  Basic syslog-ng.conf file did not seem to allow
this.  I tried setting the iptables --log-level to alert in hopes the
messages would get logged to alert.log, but nothing.

Then I noticed that when syslog-ng starts the following error message
appears in message.log and syslog.log:
        io.c: do_read: read() failed (errno 1), Operation not permitted

After a bit of googling, I found that this occurs because pipe("/proc/kmsg")
appears as a listed source in /etc/syslog-ng.conf, /proc/kmsg has
permissions 400 and is owned by root. Therefore, read access to it when
syslog-ng is running as user syslog is not permitted.

If one removes pipe("/proc/kmsg") from the list of sources, then the error
message goes away. But this doesn't solve the problem of getting iptables
messages as I suspect they originate from the kernel through /proc/kmsg.  As
an alternative, if syslog-ng is run as root, the error message goes away.  A
side benefit of this is that one now gets kern log messages (e.g. iptables
LOG messages).

I realize that it is preferred to run syslog-ng as a non-priveleged user
such as syslog.  Does anyone know of a way to get kernel log messages
without running as root?



Regards

Bill







http://www.campin.net/syslog-ng/chroot-jail.html





More information about the hlfs-dev mailing list