Re: Logging IPTables to file using syslogd

From: Harry Putnam (reader@newsguy.com)
Date: 06/23/02 

To: security-discuss@linuxsecurity.com
From: Harry Putnam <reader@newsguy.com>
Date: Sat, 22 Jun 2002 20:12:35 -0700

Diyan Christian <sauron@lug.stikom.edu> writes:

>> The "-" is used for it to understand the difference between the facility and
>> action. Else it will think "kern.*" and "/var/log/newfile" is this:
>> "kern.*/var/log/newfile" which is not a valid syslog facility.
>
> nope....the "-" character just before the arguments (in this case is a file) is used
> by syslog to do syncing (direct writes) to disk, rather than queue up first in the
> buffers (in case your hardware crashing and you might loosing important logs),
> so if performance is your choice over data integrity, you may ommit the
> "-" character.

Sorry, but I was cursed with a thick skull.. Can you explain a
little more detail about this? Do you mean syslogd can be made to
write immediately to a file instead of buffering a set amount of data?

How can I test this? For example, with syslogd directed to write to
a fifo:

   *.* |/some/fifo

I always see a pause when I put a listener on that fifo. I
understood the pause to be caused by a buffering situation. Some set
amount of data accumulates in the buffer ( I forgot the figure) and
then a write happens. Another pause while the buffer fills.. etc.

Sounds like what you are saying is that by adding a `-' to the above
rule:
   *.* -|/some/fifo
One could force syslogd data to be written to the fifo with no
buffering.

This could be a way to get full `real time' access to filtered log
files. Am I following your point correctly?
------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.