{"id":458,"date":"2013-08-27T16:08:40","date_gmt":"2013-08-27T14:08:40","guid":{"rendered":"http:\/\/valentijn.sessink.nl\/?p=458"},"modified":"2013-08-27T16:12:09","modified_gmt":"2013-08-27T14:12:09","slug":"syslog-ng-intrusion-detection","status":"publish","type":"post","link":"https:\/\/valentijn.sessink.nl\/?p=458","title":{"rendered":"Syslog-ng intrusion detection"},"content":{"rendered":"<p>There seems to be a problem using the  file() destination for \/proc files in Linux. When implementing <a href=\"https:\/\/valentijn.sessink.nl\/?p=322\">Securing Your Server With Syslog-NG<\/a> you will run into it. Please read below.<br \/>\n<!--more--><br \/>\nAfter I updated my main syslog-ng machine, a problem came up. My logs filled with<br \/>\n<code><br \/>\nAug 27 13:01:55 machine syslog-ng[13037]: I\/O error occurred while<br \/>\nwriting; fd='23', error='Illegal seek (29)'<br \/>\nAug 27 13:01:55 machine syslog-ng[13037]: Suspending write operation<br \/>\nbecause of an I\/O error; fd='23', time_reopen='60'<\/code><\/p>\n<p>First, I thought I had used the wrong destination; that some sort of filtering was wrong, or that other configuration options weren&#8217;t right. But then, after stripping everything from the configuration, the errors still kept creeping up.<\/p>\n<p>The problem seems, that syslog-ng calls lseek(0,2) before using write(). This is fine for regular files, but it won&#8217;t work for \/proc, as there is no &#8220;end&#8221; to write to.<\/p>\n<p>In the mean time, I worked around this by using the rather clumsy<br \/>\n<code>destination d_syslogblock { program (\"\/bin\/cat ><br \/>\n\/proc\/net\/xt_recent\/syslogblock\" template(\"+${usracct.device}\\n\")<\/code><\/p>\n<p>I hope to get this resolved in a more definite way, though. I&#8217;ll update this post.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>There seems to be a problem using the file() destination for \/proc files in Linux. When implementing Securing Your Server With Syslog-NG you will run into it. Please read below.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,49],"tags":[58,59,57,56,9,63,55],"class_list":["post-458","post","type-post","status-publish","format-standard","hentry","category-happy-hacking","category-ipv6-2","tag-firewall","tag-intrusion-prevention","tag-ip6tables","tag-iptables","tag-linux","tag-security","tag-syslog-ng"],"_links":{"self":[{"href":"https:\/\/valentijn.sessink.nl\/index.php?rest_route=\/wp\/v2\/posts\/458","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/valentijn.sessink.nl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/valentijn.sessink.nl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/valentijn.sessink.nl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/valentijn.sessink.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=458"}],"version-history":[{"count":4,"href":"https:\/\/valentijn.sessink.nl\/index.php?rest_route=\/wp\/v2\/posts\/458\/revisions"}],"predecessor-version":[{"id":468,"href":"https:\/\/valentijn.sessink.nl\/index.php?rest_route=\/wp\/v2\/posts\/458\/revisions\/468"}],"wp:attachment":[{"href":"https:\/\/valentijn.sessink.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=458"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/valentijn.sessink.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=458"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/valentijn.sessink.nl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=458"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}