syslog-ng and iptables logs
robert at linuxfromscratch.org
Thu Feb 17 19:11:15 PST 2005
It should be opening that file as root before it drops.. The config seems to
be a bit wrong too, its a file not a pipe. Anyway, we are thinking of
switching back to sysklogd. Syslog-ng will depend on glib soon.
I checked google about this too, and no one else seems to have this exact
problem. I suggest making /proc/kmsg group readable by syslog's group until
there's a better way.
On February 17, 2005 09:46 pm, T_B wrote:
> Today I was experimenting with trying to have syslog-ng capture logs
> generated by iptables. Basic syslog-ng.conf file did not seem to allow
> this. I tried setting the iptables --log-level to alert in hopes the
> messages would get logged to alert.log, but nothing.
> Then I noticed that when syslog-ng starts the following error message
> appears in message.log and syslog.log:
> io.c: do_read: read() failed (errno 1), Operation not permitted
> After a bit of googling, I found that this occurs because
> pipe("/proc/kmsg") appears as a listed source in /etc/syslog-ng.conf,
> /proc/kmsg has
> permissions 400 and is owned by root. Therefore, read access to it when
> syslog-ng is running as user syslog is not permitted.
> If one removes pipe("/proc/kmsg") from the list of sources, then the error
> message goes away. But this doesn't solve the problem of getting iptables
> messages as I suspect they originate from the kernel through /proc/kmsg.
> As an alternative, if syslog-ng is run as root, the error message goes
> away. A side benefit of this is that one now gets kern log messages (e.g.
> iptables LOG messages).
> I realize that it is preferred to run syslog-ng as a non-priveleged user
> such as syslog. Does anyone know of a way to get kernel log messages
> without running as root?
More information about the hlfs-dev