search

xypron / skyldav

Skyld AV - on access virus scanner
http://xypron.github.io/skyldav/
Apache License 2.0
3 stars 3 forks source link

skyldav uses problematic syslog log tag and sometimes calls syslog() before openlog() #6

Closed wschlich closed 11 years ago

wschlich commented 11 years ago

My syslog-ng is configured with keep_hostname(yes); in order to keep the hostname that the log client sent.

It seems that sometimes skyldav is setting a problematic value:

2013-08-16 15:02:47 +02:00; zephyr; user.err; skyldav: Cannot write pid file '/var/run/skyldav/skyldav.pid'.
2013-08-16 15:02:51 +02:00; Skyld; user.notice; AV: On access scanning started.
2013-08-16 15:03:16 +02:00; Skyld; user.notice; AV: On access scanning stopped.

Looks like it uses Skyld AV and syslog-ng interprets Skyld as the hostname and AV as the ident / program name.

Looking at the source code, that assumption turns out true.

Also, it seems that sometimes syslog() is called before openlog(), for example when daemonizing (before the first call to a Messaging method). If this happens, the call to syslog() automatically calls openlog() without ident being set explicitly and thus the program name is automatically used as the ident.

As an addition, unfortunately the PID is not logged.

I fixed the cosmetics using this openlog call:

openlog("skyldav", LOG_PID, LOG_DAEMON);

Of course, this still does not fix the call to syslog() before openlog() is called explicitly, but that fix is up to you now ;-)

Cheers, Wolfram

xypron commented 11 years ago

Patch pushed to repository, please, retest.

wschlich commented 11 years ago

Great! One thing to note: you're still passing 0 as flags to openlog. Is that intentional, or did you just miss my replacement of 0 with LOG_PID? :-)

wschlich commented 11 years ago

Hmm, so you replaced all syslog() calls outside Messaging::message by calls of Messaging::message? When I looked at it before, I thought it was intentional to not write every syslog message to the /var/run/skyldav/log file which I thought was only for being read by a users skyldavnotify process, because some syslog messages might not be at the users interest (i.e. not related to virus scanning status/events). But well, personally I'm fine with getting a popup notification for everything :)

wschlich commented 11 years ago

If I could vote, I'd vote vor an all-lowercase syslog ID (from what I can remember seeing, only commercial crapware uses uppercase letters in syslog tags ;)).

wschlich commented 11 years ago

The latest commits by zfsdt (?!) fixed the LOG_PID absence and the syslog ident case :-)