cvs commit: src/usr.sbin/syslogd syslogd.8 syslogd.c

Pawel Jakub Dawidek pjd at FreeBSD.org
Tue Mar 7 11:37:02 PST 2006 

On Tue, Mar 07, 2006 at 02:08:43PM -0500, Garance A Drosehn wrote:
+> At 9:14 AM +0100 3/7/06, Pawel Jakub Dawidek wrote:
+> >On Mon, Mar 06, 2006 at 12:08:08PM -0500, John Baldwin wrote:
+> >+> Did you know about the -C option to newsyslog?  newsyslog is a
+> >+> better tool for creating the log files since its config file
+> >+> can specify permissions (owner, group, chmod).
+> >
+> >I agree, but I didn't removed this functionality from the
+> >newsyslog(8).  I wanted to have this simple functionality
+> >in syslogd(8) for a few small reasons:
+> >
+> >- I don't really buy that not creating log files is a security
+> >  feature.
+> 
+> Creating them with the wrong group, wrong chmod bits, or not
+> including 'nosave' on logfiles which are expected to be
+> 'nosave' might be a problem.

That's why I choosen safe permissions.
I don't want it to replace newsyslog, I just want it to be handy.
I very often find myself adding all.log to syslog.conf, restarting
syslogd and realising that I forgot to create all.log file, so I need to
create the file (its faster than calling newsyslog and I don't want to
call it with -CC, that way I can avoid touching newsyslog.conf at all).

+> >- You don't always want newsyslog(8) (eg. on a embedded system).
+> 
+> You don't want to rotate logfiles on an embedded system?

Not always. On the system I had in mind we use our own script for this.

+> >- Its more handy to add new log file and just restart syslogd
+> >  without any errors, instead of editing newsyslog.conf,
+> >  executing newsyslogd -C and then restarting syslogd.
+> 
+> To use this new syslogd feature, you're going to have to add
+> that '-C' flag somewhere.  And in /etc/defaults/rc.conf, we
+> already have:
+> 
+> newsyslog_enable="YES"  # Run newsyslog at startup.
+> newsyslog_flags="-CN"   # Newsyslog flags to create marked files
+> 
+> All you need to do is add a second '-C' to those newsyslog_flags,
+> and newsyslog will automatically create all log files which do
+> not exist.  And if you're adding a new logfile to /etc/syslog.conf,
+> then it seems to is very likely that you will also want to add a
+> line to newsyslog.conf to rotate that log file.

I'll add -C when I add syslogd_flags to my rc.conf.

I don't like -CC. I also like to change one thing in one place.
Having newsyslog read syslog.conf and deciding based on this which files
are necessary will be more useful, but of course it will be messier
(newsyslog should not depend on other daemons configuration files).

Most usefull will be to have one configuration file for syslogd and
newsyslog, eg.:

*.*		/var/log/all.log	600  7     *    @T00  J
security.*	/var/log/security	600  10    100  *     JC

And teach syslogd to create configuration files with proper
owner+permission on start.

-- 
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd at FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-src/attachments/20060307/cb09012f/attachment.bin

More information about the cvs-src mailing list