On 23 Oct 2000, Patrick J. LoPresti wrote:
> Jesse Pollard <pollard@tomcat.admin.navo.hpc.mil> writes:
>
> > Don't configure syslogd to do reverse lookups.
>
> Our syslogd has no option to disable the reverse lookups.
Requires a recompile.
> > You can NEVER guarantee that the reverse lookup will succeed, and
> > can be delayed several minutes for a single reply.
>
> Not true. The named on our loghost is authoritative for the reverse
> mappings for all of the machines which can log there.
Put the names of your machines in /etc/hosts on your logmachine.
>
> > I consider this a configuration error. I don't believe syslogd
> > should ever do a reverse lookup, since the name you are trying to
> > get may never arrive, or if arrives, it may be spoofed.
>
> There *is* no configuration for these tools which gives the behavior
> you describe, so this is not a "configuration error".
I agree that it is ugly that you can't disable reverse with syslog. There
are implementations of the syslogd (syslog-ng) that do allow this. If you
want to stick with the 'normal' syslog, either recompile with an option
not do do reverse lookups, put you hosts in /etc/hosts, of hack the
source.
> > It's not a bug, but a security feature. NO log to syslogd should be
> > lost, since it may be related to an attack.
>
> Historically, no other Unix system has had reliable syslogging. It
> would require very defensive programming for syslogd, and that has
> clearly not been performed.
>
> And if this is what GNU/Linux intends, why does glibc use a SOCK_DGRAM
> socket for communication with syslogd? By definition, such sockets
> are *unreliable*. If syslog is supposed to be reliable, a different
> connection type must be used.
Because if is fast. Second, you can assume that remote logging is NOT done
over the internet, anyone who does is an idiot. So the change that some
UDP packet get's lost is close to zero. I think the changes are higher
that the connection oriented solutions would get messages lost.
> Your philosophy that "no syslog message should ever be lost" is not
> necessarily bad. But it is clearly at odds with historical practice,
> the current glibc syslog() implementation, and the current syslogd
> itself.
>
> It is true that glibc falls back to using SOCK_STREAM if the
> SOCK_DGRAM connection fails. Does that mean GNU/Linux is expects
> syslog to be reliable eventually? If so, then my problem is entirely
> a bug in syslogd and I will report it as such.
I agree with the bad configuration remark at top. WHY do you want named to
do the reverse ?? Putting things in /etc/hosts makes thing hell of a lot
faster. With a central loghost that makes sense to me.
> - Pat
Igmar
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue Oct 31 2000 - 21:00:18 EST