Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 14335 - firestarter hit list doesn't work when used with syslog-ng
Summary: firestarter hit list doesn't work when used with syslog-ng
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Aron Griffis (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-01-21 21:17 UTC by Mr. Bones. (RETIRED)
Modified: 2003-03-10 23:08 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mr. Bones. (RETIRED) gentoo-dev 2003-01-21 21:17:12 UTC 
firestarter's hit list is filled with this pattern:
"*kernel: IN=* OUT=* SRC=*"
but with syslog-ng, "kernel:" isn't necessarily in the messages from the
kernel so firestarter never sees any hits even though they appear in
the log file.

Additionally, firestarter 0.9.0 is hard-coded to look at /var/log/messages
but the sample config file that comes with syslog-ng logs kernel messags
to /var/log/kern.log.

What to do?

First, upgrade to firestarter 0.9.1 which has many usability fixes and allows
the setting of the log file to watch.

Next, upgrade to at least 1.5.3 (latest is currently 1.5.25) of syslog-ng which
supports the ability to customize log messages on a per-destination basis.

Marked this bug as "major" because if people are depending on the gui to monitor
their firewall, they're not seeing any hits even though they could be getting
probed all the time.
Comment 1 Aron Griffis (RETIRED) gentoo-dev 2003-03-04 15:46:02 UTC 
Okay, firestarter 0.9.1 has been marked stable, that leaves syslog-ng to worry
about.  Is there any issue to marking 1.5.26-r1 stable?  If not, I can go ahead
and do it during the package upgrades phase (now).
Comment 2 Mr. Bones. (RETIRED) gentoo-dev 2003-03-04 16:34:06 UTC 
1.5 shouldn't be marked stable as I believe it is a devel version.
In fact, I wonder why the 1.5 versions are even in portage.

However, 1.6 is out and the web site (http://www.balabit.com/products/syslog-ng/upgrades.bbq) says that 1.6 should
be the version "deployed in production environments".
Comment 3 Aron Griffis (RETIRED) gentoo-dev 2003-03-05 09:14:38 UTC 
Okay, I'm working on a 1.6 ebuild now
Comment 4 Aron Griffis (RETIRED) gentoo-dev 2003-03-05 09:27:29 UTC 
Okay, I've added the 1.6.0_rc1 ebuild.  Please give it a try.  Also,
if you can provide a simple, secure, default configuration, I could
add that to a -r1 ebuild.
Comment 5 Mr. Bones. (RETIRED) gentoo-dev 2003-03-07 23:01:09 UTC 
Here you go:

#
# $Header: /home/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.sample,v 1.4 2002/10/12 07:26:42 blocke Exp $
#
# Syslog-ng configuration file
#

options { long_hostnames(off); sync(0); };

source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };

destination messages { file("/var/log/messages"); };
destination console_all { file("/dev/tty12"); };

log { source(src); destination(messages); };
log { source(src); destination(console_all); };
Comment 6 Aron Griffis (RETIRED) gentoo-dev 2003-03-10 23:08:23 UTC 
Okay, syslog-ng-1.6.0_rc1-r1 is in cvs now, with a default
configuration and logrotate.d snippet.  It is marked stable on x86 and
alpha where I can test.  I believe this bug can be closed now...

Thanks!