[ Main / Projects / Docs / Files / FAQ / Links ]

Introduction

I've never liked traditional syslogd and klogd very much. The network logging aspect of them was quite cool, but it always bothered me that they required root privs. Now I've found an alternative logging program that not only offers a superset of (sys|k)logd's functionality, but also has the capability to run as an unprivileged uid and gid in a chroot jail: syslog-ng.

Installation

The install process is really rather painless, although it can take a bit of time. First, you'll need to acquire the latest syslog-ng through either your distro's package management or from source. Make sure that you have a version >=1.5.3, otherwise the set(uid|gid) functionality will not be present. Building the packages requires no more than a traditional configure/make process:

cd libol-0.3.9
./configure && make
cd ../syslog-ng-1.6.0
./configure --with-libol="`pwd`/../libol-0.3.9" && make
su
umask 022
make install
exit

Now you'll have to add your new log uid/gid for syslog-ng. I choose user "log" and group "log". Creative, is it not? The process is simple and standard:

su
groupadd log
useradd -g log log
exit

Now it's time to create the correct logging directory. This decision, like all the others, is really one of preference, so feel free to change my path selections if you disagree. I choose to log my messages to "/var/log/syslog/" rather than the main "/var/log" directory. Some programs log directly to files rather than using the standard UNIX syslog() mechanism. Since syslog-ng is running in a chroot, catastrophic security flaws in syslog-ng will lead to the attacker getting a local shell uid/gid log chrooted to "/var/log/syslog". I feel that it's best to render them unable to determine if a daemon is running on the local machine by the existence of characteristic but unreadable logfiles, hence the directory seperation.

su
cd /var/log
mkdir syslog
chown log.log syslog
chmod 700 syslog

Now it's time to set up syslog-ng's configuration correctly. Open up /usr/local/etc/syslog-ng/syslog-ng.conf in your favorite text editor and add something like:

options { long_hostnames(off); };

source src { unix-stream("/dev/log"); internal(); };
source ksrc { pipe("/proc/kmsg"); };

destination authlog { file("auth.log"); };
destination syslog { file("syslog"); };
destination cron { file("cron.log"); };
destination daemon { file("daemon.log"); };
destination kern { file("kern.log"); };
destination user { file("user.log"); };
destination mail { file("mail.log"); };

destination messages { file("messages"); };
destination emergency { file("emergency"); };

filter f_auth { facility(auth); };
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { program(syslog-ng); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_messages { level(info..warn)
        and not facility(auth, authpriv, mail, news); };
filter f_emergency { level(crit..emerg); };

filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_failed { match("failed"); };
filter f_denied { match("denied"); };

log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(ksrc); filter(f_kern); destination(kern); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(emergency); };

Don't fear; we're nearly finished. If you're running an ACL enabled kernel (like RSBAC), now is the time to properly set up your ACLs. Otherwise, it's time to run the daemon. Of course, first we will need to kill off our old klogd and syslogd, otherwise we might encounter odd problems.

su
killall klogd
killall syslogd
/usr/local/sbin/syslog-ng -g log -u log -C /var/log/syslog
exit

If all goes well, a ps aux should reveal that syslog-ng is running. Go ahead and check your logfiles; syslog-ng should have recorded its own startup. If so, then you're essentially done. All you'll need to do is to edit your init scripts to replace syslogd and klogd with syslog-ng. You'll use the same invocation you used to start syslog-ng at the shell. The procedure is unfortunately distro specific, so I can only suggest that you check your distro documentation if you're unsure.

If you get stuck, consult the documentation for syslog-ng (provided in a tarball in the doc/sgml subdirectory of the syslog-ng distribution) or the syslog-ng FAQ.

Nicholas J. Kain  | n i c h o l a s | a t | k a i n | d o t | u s |