|
Bugzilla – Full Text Bug Listing |
| Summary: | syslog-ng don't filter firewall messages anymore | ||
|---|---|---|---|
| Product: | [openSUSE] SUSE Linux 10.1 | Reporter: | Martin Lasarsch <martin.lasarsch> |
| Component: | Other | Assignee: | Dr. Werner Fink <werner> |
| Status: | RESOLVED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Major | ||
| Priority: | P5 - None | CC: | aj, meissner, mlasars, mt, suse-beta, werner |
| Version: | Beta 3 | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | Other | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
/sbin/klogd for INTEL i586 or higher
/sbin/klogd for AMD x86_64 |
||
|
Description
Martin Lasarsch
2006-02-01 19:20:20 UTC
I've installed b3 and will take a look what happends there tomorrow. This is not a bug of syslog(-ng) or klogd, but of the GLIBC.
The klogd receives the messages with "<4>" (LOG_KERNEL,LOG_WARNING),
and sends them using openlog()/syslog() with same facility and level,
but they are forwarded to syslog with "<12>" (LOG_USER,LOG_WARNING):
linux:/etc/syslog-ng # strace -f -p 3104
Process 3104 attached - interrupt to quit
read(0, "<4>SFW2-INext-DROP-DEFLT IN=eth0"..., 131071) = 204
time(NULL) = 1139364989
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=837, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=837, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=837, ...}) = 0
send(1, "<12>Feb 8 03:16:29 klogd: SFW2-"..., 227, MSG_NOSIGNAL) = 227
read(0, "<4>SFW2-INext-DROP-DEFLT IN=eth0"..., 131071) = 204
time(NULL) = 1139364989
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=837, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=837, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=837, ...}) = 0
send(1, "<12>Feb 8 03:16:29 klogd: SFW2-"..., 227, MSG_NOSIGNAL) = 227
The klogd uses openlog() and [v]syslog() functions to forward it,
but "somebody" sits in the middle means to have to improve it.
It seems that open the socket /dev/log cause the linker to
put two functions into the communication between klogd
and syslogd/syslogd-ng :
/suse/werner> nm -D /sbin/klogd | grep log
U __syslog_chk
U __vsyslog_chk
00000000000035d0 T closelog
U klogctl
0000000000003600 T openlog
00000000000035b0 T setlogmask
0000000000003ad0 T syslog
00000000000036f0 T vsyslog
this is for any other user program a nice feature but to
have a working klogd: how to disable this ``feature'' ...
there is no documentation in the info page of the (g)libc.
As userland application you are not allowed to use LOG_KERN in openlog. From glibc documentation: @c Internally, there is also LOG_KERN, but LOG_KERN == 0, which means @c if you try to use it here, just selects default. Else everybody could fake kernel alerts. klogd has use his own functions if he wish to use it. As you should know "nm -D" does not show you that the linker is putting two functions into the communication. Nothing is changing the level, it does not exist in userland. Thanks for not reading my comment. I've show that klogd uses its own openlog()/syslog()/closelog() due to the fact that glibc is not willingly to support at least one user space program to be able to forward kernel messages. I've tried out the hint of Thorsten of disabbling the FORTIFY_SOURCE cpp macro. Marius? Can you tell me which architecture you're using? I'd like to attach a new klogd for testing. Created attachment 67000 [details]
/sbin/klogd for INTEL i586 or higher
Created attachment 67006 [details]
/sbin/klogd for AMD x86_64
(In reply to comment #7) > /sbin/klogd for INTEL i586 or higher works fine now. could i convince you to just use " #undef syslog #undef vsyslog on top of klogd.c (after #include <syslog.h>) ? OK, done |