Syslog-ng intrusion detection

There seems to be a problem using the file() destination for /proc files in Linux. When implementing Securing Your Server With Syslog-NG you will run into it. Please read below.

After I updated my main syslog-ng machine, a problem came up. My logs filled with

Aug 27 13:01:55 machine syslog-ng[13037]: I/O error occurred while
writing; fd='23', error='Illegal seek (29)'
Aug 27 13:01:55 machine syslog-ng[13037]: Suspending write operation
because of an I/O error; fd='23', time_reopen='60'

First, I thought I had used the wrong destination; that some sort of filtering was wrong, or that other configuration options weren’t right. But then, after stripping everything from the configuration, the errors still kept creeping up.

The problem seems, that syslog-ng calls lseek(0,2) before using write(). This is fine for regular files, but it won’t work for /proc, as there is no “end” to write to.

In the mean time, I worked around this by using the rather clumsy
destination d_syslogblock { program ("/bin/cat >
/proc/net/xt_recent/syslogblock" template("+${usracct.device}\n")

I hope to get this resolved in a more definite way, though. I’ll update this post.

Tags: , , , , , ,

One Response to “Syslog-ng intrusion detection”

  1. Valentijn Sessink » Blog Archive » Securing your server with Syslog-ng Says:

    […] update. There seems to be a problem using the syslog-ng file() destination on /proc in Linux. See http://valentijn.sessink.nl/?p=458 for more […]