From psad-discuss Mon Nov 17 01:08:43 2008 From: Michael Rash Date: Mon, 17 Nov 2008 01:08:43 +0000 To: psad-discuss Subject: Re: [psad-discuss] psad on Ubuntu 8.04 Server: syslogd not Message-Id: <20081117010843.GA3299 () cipherdyne ! org> X-MARC-Message: https://marc.info/?l=psad-discuss&m=122688418931624 On Nov 12, 2008, Sam Kuper wrote: > 2008/11/12 Sam Kuper : > > I'd been wondering what that \t was for, and had tried googling it (to > > no avail). I'll try to trace what prompted me to insert it (as I > > recall, I copied and pasted that line from somewhere - either the psad > > man page or a page on cipherdyne) and reply to the list. > > I'm pretty sure it was the man-page. I've just tried installing psad > on another Hardy server (using 'sudo aptitude install psad'), and I'll > describe what happened as though I hadn't been posting to this thread: > in other words, as though it were my first time installing psad. > > During the install the following lines are printed to the terminal: > > ERR: Syslog has not been configured to send messages to > /var/lib/psad/psadfifo. Please configure it as described in psad(8). > > So I read the manpage, and it says: > > psad Syslog needs to be configured to write all kern.info messages to > a named pipe /var/lib/psad/psadfifo. A simple > > echo -e âkern.info\t|/var/lib/psad/psadfifoâ >> /etc/syslog.conf > > will do. Remember also to restart syslog after the changes to this file. > > Now I'm pretty sure that the â characters shouldn't be there: > presumably they ought to be quotation marks or apostrophes or > something. So I check my character encoding settings in PuTTY, which > is what I use to log in to the server, and set them to UTF-8, which I > believe is the Ubuntu default, and set the terminal-type string to > "linux". Now that line in the man page looks like this: > > echo -e 'kern.info\t|/var/lib/psad/psadfifo' >> /etc/syslog.conf > > I'm still learning Linux, and I don't know what the \t is supposed to > do, but I figure that since the apostrophes are displaying correctly > now and I can't see any other character encoding errors, that must > indeed be the intended command. So I execute it, and even under sudo > it gives: > > -bash: /etc/syslog.conf: Permission denied > > So I figure maybe there's something about the syslog.conf that means I > can't echo to it, even under sudo - much like the /etc/shadow example > given at http://aplawrence.com/Basics/sudo.html > > At this point, I realise it's probably easier just to use vim to paste > in the line, and I end up in ... the mess that made me start this > thread :) > > Now, it's still unclear to me why the echo -e command didn't work > (maybe it really is like the /etc/shadow example given at > http://aplawrence.com/Basics/sudo.html - I think it probably is, > because using sudo -i to become root and then executing the command > does work), but I should have noticed that the -e option means that > echo is supposed to interpret backslash escapes, and that this means > the \t ought to be expanded into a [tab] in the syslog.conf line. > > So, the problem was largely my fault for not noticing that, but partly > also the man page's fault for telling me to execute a command that > wouldn't work except as root, and which didn't mention this point. > > At any rate, I'm very grateful for psad's existence, and for all the > help in getting it working for me! And I'd be happy to consider filing > a bug against the psad man page in Ubuntu Hardy, asking that the need > to become root to run the command is mentioned, if anyone on this list > thinks it might be worthwhile for me to do so. I will fix the \t problem in the man page, and thanks for noticing the issue. --Mike > Thanks again, > > Sam > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > psad-discuss mailing list > psad-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/psad-discuss ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss