良玉的博客 点点滴滴,积水成河_良玉的博客_页游、手游linux运维工程师之路

psad的kmsgsd不启动

安装好psad后,
[root@localhost psad]# psad -V
[+] psad v2.2.3 by Michael Rash <mbr@cipherdyne.org>
[root@localhost psad]# /etc/init.d/psad start
可是看不到kmsgsd在运行
kmsgsd的用途是通过命名管道/var/lib/psad/psadfifo读取所有iptables日志信息,并将它们写入文件/var/log/psad/fwdata以便psad进行自动分析。这种方式给psad提供的是只包含iptables日志信息的纯数据流。
在安装psad时,psad会重新配置系统syslog守护进程以便将所有优先级为info的内核信息(使用syslog术语,即kern.info信息)写入命名管道/var/lib/psad/psadinfo

查看配置后知道ENABLE_SYSLOG_FILE如果是Y,则直接去/var/log/messages读取
改成N,则通过管道把信息写到/var/log/psad/fwdata给psad去分析
### By default, psad acquires iptables log data from the /var/log/messages
### file which the local syslog daemon (usually) writes iptables log messages
### to.  If the ENABLE_SYSLOG_FILE variable below is set to "N", then psad
### reconfigures syslog to write iptables log data to the
### /var/lib/psad/psadfifo fifo file where the messages are picked up by kmsgsd
### written to the file /var/log/psad/fwdata for analysis by psad.  On some
### systems, having syslog communicate log data to kmsgsd can be problematic
### (syslog configs and external factors such as Apparmor and SELinux can play
### a role here), so leaving the ENABLE_SYSLOG_FILE variable set to "Y" is
### usually recommended.
ENABLE_SYSLOG_FILE          Y;
如果要开启kmsgsd,则需把ENABLE_SYSLOG_FILE改成N,然后重启psad
[root@localhost psad]# /etc/init.d/psad restart
[-] psad: pid file /var/run/psad/kmsgsd.pid does not exist for kmsgsd on localhost
[+] Stopping psad, pid: 52304
Starting psad: syslogd: no process killed

[root@localhost psad]# ps aux|grep kmsgsd
root     52404  0.0  0.0   4060   116 ?        Ss   16:04   0:00 /usr/sbin/kmsgsd -c /etc/psad/psad.conf
root     52484  0.0  0.0 103176   844 pts/1    S+   16:10   0:00 grep kmsgsd
就能看到kmsgsd啦


标签: psadkmsgsd启动开启ENABLE_SYSLOG_FILE

作者:良玉 分类:psad 浏览:914 评论:0
留言列表
发表评论
来宾的头像