On Wed, Feb 07, 2007 at 12:34:07AM -0500, jared r r spiegel wrote: > On Tue, Feb 06, 2007 at 08:21:38AM -0600, Phusion wrote: > > When installing syslog-ng on a OpenBSD 4.0 machine should I start the > > daemon in /etc/rc.local or /etc/rc.securelevel? > > taking a peek at /etc/rc, the base syslogd is started unconditionally > before even rc.securelevel is sourced. > > it feels a bit dirty, but looks like the only way to completely perfectly > replace the default syslogd would be to edit /etc/rc in some way or another > ( your rc.local/rc.securelevel syslog-ng startup stanza could kill syslogd, > but below i mention some stuff that syslog-ng would've missed anyway ). > > in /etc/rc v1.295: > > - rc.local is sourced on line 710 > - syslogd is started on line 301 > - rc.conf is sourced on line 206 (and rc.conf tries to source rc.conf.local) > > so if you want to totally drop the default syslogd and use syslog-ng for > local logging on this host: > > - one of the worst possible ways would probably to be to put your actual > startup stanza for syslog-ng in /etc/rc.conf.local which would make it > start before the network and probably make anyone reading this want to > puke a bit. > - actually, no, the worst thing would probably to be to go to line 301 and > replace 'syslogd' with '/usr/local/sbin/syslog-ng', since their arguments > are not the same. > - the "cleanest" way that comes to mind to do a 1-to-1 replacement > without disturbing the current working of things much, if at all, would > be to add a parameter to rc.conf.local for 'syslogd="NO"', then wrap the > current /etc/rc syslogd stanza from line 291 through line 301 in a > conditional that checks for that syslogd parameter being != "NO" similar > to the one for pf(4) right below the syslogd one. then more another params > to rc.conf.local for 'syslogng="YES"' ( or _ng if you want, whatever ) and > 'syslogng_flags="whatever args"' and add a conditional startup stanza > for syslog-ng right below the normal syslogd one. > > outside of editing /etc/rc, starting it in rc.local would mean that > the default syslogd would handle anything started after line 301 > up to line 710 -- anything started under 'standard daemons' could be > caught by syslog-ng, but anything before that (most notably all the > stuff after 'initial' and 'network' daemons and a few other things > that syslog) would be under the sole jurisdiction of the base syslogd(8). > > either way, if syslog-ng is going to be used locally, i'd make a check > between whatever your favourite way of determining if something is running > (syslogd) and syslog-ng's .conf to see if they're going to try to fight > over anything. > > given that syslog-ng's source sockets are handled in its .conf and > not on commandline, perhaps also try to sanely handle/duplicate > the current extra socket checks (named/dev/log, empty/dev/log) that > the stock syslogd /etc/rc stanza checks for. > > if syslog-ng is going to be used on this host only as a dumping ground > for incoming remote TCP/UDP log messages (eg, doesn't make any local > unix sockets, only listens to network, and syslogd does also *not* > listen to the network (-u)), leave /etc/rc alone and just do > /etc/rc.local because then it doesn't really matter other than a > few wallclock seconds when this host boots up whether you do > rc.local or rc.securelevel. the fewer things you put in rc.securelevel, > the fewer things you have to accidentally forget about during upgrade > or troubleshooting.
Or do as I do, and just run syslog-ng alongside syslogd. Where syslog-ng handles the network stuff, and syslogd dumps stuff via lo0. Sure, it's ugly, but it's easy to set up and works fine. And doesn't have quite as interesting a failure mode as the alternative. Joachim