'Re: [psad-discuss] psadfifo dies daily after logrotate'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       psad-discuss
Subject:    Re: [psad-discuss] psadfifo dies daily after logrotate
From:       Michael Rash <mbr () cipherdyne ! org>
Date:       2008-11-23 0:06:23
Message-ID: 20081123000623.GA26175 () cipherdyne ! org
[Download RAW message or body]

On Nov 21, 2008, Riff Raff wrote:

> Running Kubuntu 8.04, all current upgrades.  Recent install of psad, v2.1 (file \
> revision: 2122). 
> I know it's not the latest and greatest version of psad, but it's the "official" \
> one from the repositories, and it basically works, except: 
> Every morning my psad fifo pipe to syslog breaks, and I have to restart syslogd \
> (sysklog init script in this distro).  I've tried adding a syslog restart command \
> after fwdata rotates and psad restarts (using the && "and")but it doesn't help.  I \
> still have to manually restart sysklog every day. 
> 
> My /etc/logrotate.d/psad file:
> 
> /var/log/psad/fwdata {
> daily
> missingok
> rotate 3
> compress
> delaycompress
> notifempty
> postrotate
> psad --HUP 
> endscript
> }
> 
> The last script in that directory is called wpa_action, and I've even tried adding \
> the syslog restart to the end of it, just to try and make it the last thing that \
> runs.  Still no joy.   The fifo pipe is still only working with kmsgsd, not \
> syslogd.  Once I restart syslogd, everything's fine, until the next daily log \
> rotation.  
> I suspect I've overlooked something simple, but I'm just not seeing it.  Any \
> thoughts?

This is a bug in psad-2.1, and was fixed in psad-2.1.1 by implementing
both size and inode checks against the fwdata file.  If the file size
decreases or the inode changes (such as when logrotate cycles it), then
psad re-opens it.  Here is the diff to illustrate (see the section
around line 802):

http://trac.cipherdyne.org/trac/psad/changeset?old_path=psad%2Ftags%2Fpsad-2.1%2Fpsad&old=2247&new_path=psad%2Ftags%2Fpsad-2.1.1%2Fpsad&new=2247


You could either update to psad-2.1.1 or I could cook up a patch for
psad-2.1 if you prefer.

-- 
Michael Rash
http://www.cipherdyne.org/
Key fingerprint: E2EF 0C8A 5AA9 654C 4763  B50F 37AC E946 7F51 8271

> 
> 
> Thanks,
> 
> -mike
> 
> 
> 
> 
> 
> 
> 
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic