On Wed, Feb 07, 2007 at 12:34:07AM -0500, jared r r spiegel wrote:
> On Tue, Feb 06, 2007 at 08:21:38AM -0600, Phusion wrote:
> > When installing syslog-ng on a OpenBSD 4.0 machine should I start the
> > daemon in /etc/rc.local or /etc/rc.securelevel?
>
> taking a peek at /etc/rc, the base syslogd is started unconditionally
> before even rc.securelevel is sourced.
>
> it feels a bit dirty, but looks like the only way to completely perfectly
> replace the default syslogd would be to edit /etc/rc in some way or another
> ( your rc.local/rc.securelevel syslog-ng startup stanza could kill syslogd,
> but below i mention some stuff that syslog-ng would've missed anyway ).
>
> in /etc/rc v1.295:
>
> - rc.local is sourced on line 710
> - syslogd is started on line 301
> - rc.conf is sourced on line 206 (and rc.conf tries to source rc.conf.local)
>
> so if you want to totally drop the default syslogd and use syslog-ng for
> local logging on this host:
>
> - one of the worst possible ways would probably to be to put your actual
> startup stanza for syslog-ng in /etc/rc.conf.local which would make it
> start before the network and probably make anyone reading this want to
> puke a bit.
> - actually, no, the worst thing would probably to be to go to line 301 and
> replace 'syslogd' with '/usr/local/sbin/syslog-ng', since their arguments
> are not the same.
> - the "cleanest" way that comes to mind to do a 1-to-1 replacement
> without disturbing the current working of things much, if at all, would
> be to add a parameter to rc.conf.local for 'syslogd="NO"', then wrap the
> current /etc/rc syslogd stanza from line 291 through line 301 in a
> conditional that checks for that syslogd parameter being != "NO" similar
> to the one for pf(4) right below the syslogd one. then more another params
> to rc.conf.local for 'syslogng="YES"' ( or _ng if you want, whatever ) and
> 'syslogng_flags="whatever args"' and add a conditional startup stanza
> for syslog-ng right below the normal syslogd one.
>
> outside of editing /etc/rc, starting it in rc.local would mean that
> the default syslogd would handle anything started after line 301
> up to line 710 -- anything started under 'standard daemons' could be
> caught by syslog-ng, but anything before that (most notably all the
> stuff after 'initial' and 'network' daemons and a few other things
> that syslog) would be under the sole jurisdiction of the base syslogd(8).
>
> either way, if syslog-ng is going to be used locally, i'd make a check
> between whatever your favourite way of determining if something is running
> (syslogd) and syslog-ng's .conf to see if they're going to try to fight
> over anything.
>
> given that syslog-ng's source sockets are handled in its .conf and
> not on commandline, perhaps also try to sanely handle/duplicate
> the current extra socket checks (named/dev/log, empty/dev/log) that
> the stock syslogd /etc/rc stanza checks for.
>
> if syslog-ng is going to be used on this host only as a dumping ground
> for incoming remote TCP/UDP log messages (eg, doesn't make any local
> unix sockets, only listens to network, and syslogd does also *not*
> listen to the network (-u)), leave /etc/rc alone and just do
> /etc/rc.local because then it doesn't really matter other than a
> few wallclock seconds when this host boots up whether you do
> rc.local or rc.securelevel. the fewer things you put in rc.securelevel,
> the fewer things you have to accidentally forget about during upgrade
> or troubleshooting.
Or do as I do, and just run syslog-ng alongside syslogd. Where syslog-ng
handles the network stuff, and syslogd dumps stuff via lo0.
Sure, it's ugly, but it's easy to set up and works fine. And doesn't
have quite as interesting a failure mode as the alternative.
Joachim
