On Wed, Feb 07, 2007 at 12:34:07AM -0500, jared r r spiegel wrote:
> On Tue, Feb 06, 2007 at 08:21:38AM -0600, Phusion wrote:
> > When installing syslog-ng on a OpenBSD 4.0 machine should I start the
> > daemon in /etc/rc.local or /etc/rc.securelevel?
> 
>   taking a peek at /etc/rc, the base syslogd is started unconditionally
>   before even rc.securelevel is sourced.
> 
>   it feels a bit dirty, but looks like the only way to completely perfectly
>   replace the default syslogd would be to edit /etc/rc in some way or another
>   ( your rc.local/rc.securelevel syslog-ng startup stanza could kill syslogd,
>     but below i mention some stuff that syslog-ng would've missed anyway ).
> 
>   in /etc/rc v1.295:
> 
> - rc.local is sourced on line 710
> - syslogd is started on line 301
> - rc.conf is sourced on line 206 (and rc.conf tries to source rc.conf.local)
> 
>   so if you want to totally drop the default syslogd and use syslog-ng for
>   local logging on this host:
> 
> - one of the worst possible ways would probably to be to put your actual
>   startup stanza for syslog-ng in /etc/rc.conf.local which would make it
>   start before the network and probably make anyone reading this want to
>   puke a bit.
> - actually, no, the worst thing would probably to be to go to line 301 and
>   replace 'syslogd' with '/usr/local/sbin/syslog-ng', since their arguments
>   are not the same.
> - the "cleanest" way that comes to mind to do a 1-to-1 replacement 
>   without disturbing the current working of things much, if at all, would
>   be to add a parameter to rc.conf.local for 'syslogd="NO"', then wrap the
>   current /etc/rc syslogd stanza from line 291 through line 301 in a
>   conditional that checks for that syslogd parameter being != "NO" similar
>   to the one for pf(4) right below the syslogd one.  then more another params
>   to rc.conf.local for 'syslogng="YES"' ( or _ng if you want, whatever ) and
>   'syslogng_flags="whatever args"' and add a conditional startup stanza
>   for syslog-ng right below the normal syslogd one.
> 
>   outside of editing /etc/rc, starting it in rc.local would mean that
>   the default syslogd would handle anything started after line 301
>   up to line 710 -- anything started under 'standard daemons' could be
>   caught by syslog-ng, but anything before that (most notably all the
>   stuff after 'initial' and 'network' daemons and a few other things
>   that syslog) would be under the sole jurisdiction of the base syslogd(8).
> 
>   either way, if syslog-ng is going to be used locally, i'd make a check
>   between whatever your favourite way of determining if something is running
>   (syslogd) and syslog-ng's .conf to see if they're going to try to fight
>   over anything.
> 
>   given that syslog-ng's source sockets are handled in its .conf and
>   not on commandline, perhaps also try to sanely handle/duplicate
>   the current extra socket checks (named/dev/log, empty/dev/log) that
>   the stock syslogd /etc/rc stanza checks for.
>   
>   if syslog-ng is going to be used on this host only as a dumping ground
>   for incoming remote TCP/UDP log messages (eg, doesn't make any local
>   unix sockets, only listens to network, and syslogd does also *not*
>   listen to the network (-u)), leave /etc/rc alone and just do 
>   /etc/rc.local because then it doesn't really matter other than a
>   few wallclock seconds when this host boots up whether you do
>   rc.local or rc.securelevel. the fewer things you put in rc.securelevel,
>   the fewer things you have to accidentally forget about during upgrade
>   or troubleshooting.

Or do as I do, and just run syslog-ng alongside syslogd. Where syslog-ng
handles the network stuff, and syslogd dumps stuff via lo0.

Sure, it's ugly, but it's easy to set up and works fine. And doesn't
have quite as interesting a failure mode as the alternative.

                Joachim

Reply via email to