View previous topic :: View next topic |
Author |
Message |
RickDeckard n00b
Joined: 08 Apr 2014 Posts: 7
|
Posted: Fri Jun 17, 2016 4:05 am Post subject: [SOLVED] Blank dnscrypt syslog in top-level root directory? |
|
|
I've had a whole bunch of updates to do to a system that's still running 4.3.3-hardened-r4 today, probably a few months worth, and RBAC is always enabled on the machine. DNSCrypt usually writes to /var/log/messages but this time it wrote a blank syslog file owned by dnscrypt:dnscrypt to /. I'm only running DNSCrypt with --ephemeral-keys and --loglevel options as part of an Unbound resolver setup.
Call me crazy, but shouldn't the syslog always contain information? Why isn't it writing to messages? Is there any place I can look to double check and correct this, besides setting --logfile= in /etc/conf.d/dnscrypt-proxy? And could an update to DNSCrypt have caused this?
I'm not noticing any out of place GRSec entries in the logs. What can I do to figure this out? _________________ The nine most dangerous words in the English language are "I'm from the government, and I'm here to help."
Last edited by RickDeckard on Fri Jun 17, 2016 8:49 pm; edited 1 time in total |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Fri Jun 17, 2016 5:12 am Post subject: Re: Blank dnscrypt syslog in top-level root directory? |
|
|
RickDeckard wrote: | I've had a whole bunch of updates to do to a system that's still running 4.3.3-hardened-r4 today, probably a few months worth, and RBAC is always enabled on the machine. DNSCrypt usually writes to /var/log/messages but this time it wrote a blank syslog file owned by dnscrypt:dnscrypt to /. I'm only running DNSCrypt with --ephemeral-keys and --loglevel options as part of an Unbound resolver setup. |
RickDeckard ... I have the same ... without hardened/RBAC. The file creation date, and package install date don't seem to suggest the issue started as a result of the later.
Code: | # ls -l /syslog
-rw-r--r-- 1 dnscrypt dnscrypt 0 2016-06-02 13:55 /syslog
# qlop -Cl =net-dns/dnscrypt-proxy-1.6.1
Sat Feb 20 12:14:03 2016 >>> net-dns/dnscrypt-proxy-1.6.1 |
RickDeckard wrote: | Call me crazy, but shouldn't the syslog always contain information? Why isn't it writing to messages? Is there any place I can look to double check and correct this, besides setting --logfile= in /etc/conf.d/dnscrypt-proxy? And could an update to DNSCrypt have caused this? |
I've tried with '--logfile=/var/log/dnscrypt-proxy.log' and nothing gets logged there, or anywhere currently.
best ... khay |
|
Back to top |
|
|
RickDeckard n00b
Joined: 08 Apr 2014 Posts: 7
|
Posted: Fri Jun 17, 2016 4:51 pm Post subject: |
|
|
I found the DNSCrypt initscript was forcing the syslog write all of a sudden.
So I added DNSCRYPT_LOGFILE=/var/log/messages to the conffile, took out "--logfile=", and now I'm not getting any more "mutually exclusive" warnings or top-level syslog writes.
But DNSCrypt is still refusing to work altogether which has basically brought down my entire internet. A quick look at the emerge.log file showed it wasn't upgraded as part of the big 4hr-long upgrade so there should never have been any syslog issues in the first place. _________________ The nine most dangerous words in the English language are "I'm from the government, and I'm here to help." |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Fri Jun 17, 2016 5:47 pm Post subject: |
|
|
RickDeckard wrote: | I found the DNSCrypt initscript was forcing the syslog write all of a sudden. So I added DNSCRYPT_LOGFILE=/var/log/messages to the conffile, took out "--logfile=", and now I'm not getting any more "mutually exclusive" warnings or top-level syslog writes. |
RickDeckard ... yes, I'd meant DNSCRYPT_LOGFILE. I wouldn't point to /var/log/messages as this is used by the syslog facility and you'll end up with both syslog and dnscrypt-proxy attempting to write to the same file.
RickDeckard wrote: | But DNSCrypt is still refusing to work altogether which has basically brought down my entire internet. A quick look at the emerge.log file showed it wasn't upgraded as part of the big 4hr-long upgrade so there should never have been any syslog issues in the first place. |
Here is how I resolved the issue, re-merge dnscrypt-proxy (my suspicion was that syslog-ng had been updated after the last merge of dnscrypt-proxy and that this caused logopt="--syslog" to fail). Run etc-update/dispatch-conf, and fix the bashism that was introduced.
Code: | - if [[ "${DNSCRYPT_LOGFILE}" == "syslog" ]]; then
+ if [ "${DNSCRYPT_LOGFILE}" = "syslog" ]; then |
Restart dnscrypt-proxy ...
/var/log/messages: | Jun 17 19:34:10 aporia dnscrypt-proxy[11814]: Starting dnscrypt-proxy 1.6.1 |
HTH & best ... khay |
|
Back to top |
|
|
RickDeckard n00b
Joined: 08 Apr 2014 Posts: 7
|
Posted: Fri Jun 17, 2016 7:13 pm Post subject: |
|
|
Oh! OK, I'll try that. I was under the impression it was safe to write to /var/log/messages because all the DNSCrypt information had gone there before the update. _________________ The nine most dangerous words in the English language are "I'm from the government, and I'm here to help." |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Fri Jun 17, 2016 7:20 pm Post subject: |
|
|
RickDeckard wrote: | Oh! OK, I'll try that. I was under the impression it was safe to write to /var/log/messages because all the DNSCrypt information had gone there before the update. |
RickDeckard ... yes, because '--syslog' was used rather than '--logfile=', so actually its just passing on to syslog and then syslog then writes to /var/log/messages.
best ... khay |
|
Back to top |
|
|
RickDeckard n00b
Joined: 08 Apr 2014 Posts: 7
|
Posted: Fri Jun 17, 2016 8:47 pm Post subject: |
|
|
It worked! DNSCRYPT_LOGFILE now points to /var/log/dnscrypt/dnscrypt and works if I invoke dnscrypt separately from its initscript with "--user=dnscrypt -d -E -R dnscrypt.org-fr" ... unbound as well as itself still remain crashed in rc-status tho.
I'll poke around some more to see if I can fix that. As the original issue stands, however, it's solved.
Thank you for your help. _________________ The nine most dangerous words in the English language are "I'm from the government, and I'm here to help." |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Fri Jun 17, 2016 10:30 pm Post subject: |
|
|
RickDeckard wrote: | It worked! DNSCRYPT_LOGFILE now points to /var/log/dnscrypt/dnscrypt and works if I invoke dnscrypt separately from its initscript with "--user=dnscrypt -d -E -R dnscrypt.org-fr" ... unbound as well as itself still remain crashed in rc-status tho. I'll poke around some more to see if I can fix that. As the original issue stands, however, it's solved. |
RickDeckard ... when using '-R,--resolver-name=<name>' you probably also need to provide '-L,--resolvers-list=<file>'.
RickDeckard wrote: | Thank you for your help. |
You're welcome & best ... khay |
|
Back to top |
|
|
|