Hi, > Even if rsyslog is the default syslog-type logging daemon > under lenny ( I'm using debian version 5.0.4, i.e. the stable > release of debian now ), the psad rsyslogd support is > incomplete. I'm using the default configuration file > /etc/psad/psad.conf contained in the psad package.
As a matter of fact since 2.1.3 iptables log messages are parsed by default from /var/log/messages to avoid playing with the different logging daemons. Here is the relevant part of the changelog: Updated to enable IPT_SYSLOG_FILE by default. This is a relatively important change since it changes the method of acquiring iptables log data from reading it out of named pipe from syslog to just parsing the /var/log/messages file. This implies that kmsgsd does not have to run, and that it is much easier to ensure that psad actually receives iptables log messages. The most complex and error prone aspect of psad in the past has been the reconfiguration of the various syslog daemons out there (which have very different configuration syntax and features) to write kern.info messages to the /var/lib/psad/psadfifo named pipe. > 1) > The original psad configuration file /etc/psad/psad.conf > contains the SYSLOG_DAEMON variable, which ( according to > the description in psad.conf ) can have four different > types of variables - syslogd, syslog-ng, ulogd or metalog. > But the value rsyslogd is missing!!! Even if psad has > also an rsyslogd support. [...] > I.e. we can see that psad has rsyslogd support and it's not > mentioned in the configuration file comment, which is also > the only (or the easy-to-find) documentation!!! I suggest > to add rsyslogd to the list of the supported syslog-type > servers. That one is thus easy to fix :) > 2) > If we define the syslog-type server as rsyslogd and move > the /etc/rsyslog.conf file so that it cannot be found, > we get an email with the following subject from psad: > [psad-error] /etc/syslog.conf does not exist, check > SYSLOG_DAEMON setting [...] Indeed, there is some conditions missing somewhere in the source code. As it seems you have dig into the code, would you mind providing a patch? That would be easier. > 3) > Even if rsyslogd is installed and configured properly according > to psad(8), i.e. /etc/rsyslog.conf contains the line: > ... > kern.info |/var/lib/psad/psadfifo > ... > psad doesn't start if invoked using the startup script: > /etc/init.d/psad start > ERR: Syslog has not been configured to send messages to > /var/lib/psad/psadfifo. Please configure it as described in psad(8). > The startup script /etc/init.d/psad should be changed so that it > supports also rsyslogd. That is the old initscript. The latest one does not even care about checking thoses files since psad default's behaviour has changed, as mentionned at the beginning of this message. I would definitely encourage you to use the default setup. If you supply a patch for psad, and it does not require any further work, maybe Michael could merge it to the current release. I mean, if we start playing around the psadfifo settings, it is going to be bothering for everyone. The current psad release has still those options, but I think it is more for backward compatibility. Micheal, if you think I should check for the psadfifo setup in the initscript, as Daniel did before, I will, just let me know if it worth. I only use(d) syslog and rsyslog and I do not know if there is any difference with metalog, ulogd. Full discussion can be found at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=586070 Regards, -- Franck Joncourt
signature.asc
Description: Digital signature
