0

is it possible to intercept syslog messages and evaluate (in special cases change) them before they are written into /var/log/?

At the moment i m using inotify to monitor the log file and write the evaluated log into a new file.

inselberg
  • 165
  • 4
  • 4
    Yikes. Why? What are you actually trying to accomplish here? Either fix the application that is generating the logs or use something like logstash to collect and post-process your logs. – EEAA Jun 11 '13 at 04:36

1 Answers1

2

Yes, it is possible. You can do it with syslog-ng and filters if you're creative.

No, I'm not going to tell you specifically how to do it, because it's a TERRIBLE idea.
As a general rule you do not alter the data you're logging. You log raw data, and post-process it prior to displaying it if necessary. Altering log data destroys the integrity of the logging process - it's the equivalent to planting evidence in a criminal case.

voretaq7
  • 79,879
  • 17
  • 130
  • 214
  • ...or (in a untrusted environment) not telling the whole world, when i did something why and from where ... sometimes `ln -s /dev/null` can't be used. and thank you for the `syslog-ng` hint. – inselberg Jun 11 '13 at 23:51
  • If you're in an untrusted environment you probably don't have access to the log stream. (Conversely, if you have control of the logging you should have control of everything else too - you usually need to be root to pick the program that handles the logs.) The point of logging is for the sysadmin (you) to know when *someone else* is doing something they shouldn't be. If ***YOU*** are doing something you shouldn't be, knock it off! :-) – voretaq7 Jun 12 '13 at 00:56
  • i think my definition of "untrusted" is different to yours: not located next to me, has an internet connection, unencrypted and it doesn't matter if i m "root" and pay for it. is this yet a philosophic approach about "trust"? :D – inselberg Jun 12 '13 at 13:27
  • 2
    Your definition of untrusted is unreasonable. I've never worked on a machine that you would consider "trusted" (because I colocate servers - they don't sit under my desk). If you have full control over the system's OS you should be able to trust it. If you don't you need to seriously re-evaluate your hosting situation. If you would like to continue the philosophical discussion of when a machine is/isn't trusted [stop by the SF chat room](http://chat.stackexchange.com/rooms/127) – voretaq7 Jun 12 '13 at 15:15