[rsbac] question on logging

[kang]

Andrea Pasquinucci wrote:

>I have another question:
>
>I really would like to have a separate logging for RSBAC. I guess that 
>the only way is to use its own independent logging. If I log normally 
>through the kernel, it gets to syslog as a kernel message and it goes 
>with all other kernel messages. Or can I send it to something else? (At 
>the moment I cannot use syslog-ng).
>
>Otherwise, how can I use RSBAC own logging? I guess I will have to have
>something like klogd which reads the messages and sends them to syslogd
>etc. ?
>
>Thanks Andrea
>
>
>PS. The only way of turning off syslog logging is by the kernel
>parameter rsbac_nosyslog, correct?
>  
>
Hi Andrea!

Why can't you use syslog-ng right now ?

Solutions for logging are various and depends on you:
you can use rklogd if you have no other solution
you can use syslog-ng or any other logger (recommanded, more features,
better support)

you simply have to configure it to take /proc/rsbac-info/rmsg as input.
What we do usually is to start the logger one time for the system log
and a second time with a different configuration for RSBAC. It makes it
easier to protect it.

To turn off syslog logging to system log, you can use the rsbac_nosyslog
flag or at runtime with
|echo “debug nosyslog 1” > /proc/rsbac-info/debug


||A sample for syslog-ng is available on the website at this address:|
|http://www.rsbac.org/documentation/administration_examples/syslog-ng|
||
|Feel free to send any example config you use for any different logger
that supports reading log from /proc/rsbac-info/rmsg (any logger with
/proc/kmsg support should be able to read rmsg)|
||
|Good luck!|