It seems that every time there is a solar flare, swatch status stops
working.
This means that service swatch stop won't work because it doesn't know
its running, restart, nothing. I tracked it down, and it is the size of
the swatch_x_flags line that causes the problem.. too small, and it
won't work!
example:
simple swatch in rc:
swatch_enable="YES"
swatch_rules="1"
swatch_1_flags="--config-file=/usr/local/etc/swatch-hackertrap.conf
--tail-file=/var/log/eventlog --tail-args=-F --daemon
--pid-file=/var/run/swatch_1.pid"
swatch_1_pidfile="/var/run/swatch_1.pid"
swatch_1_chdir="/var/tmp"
(with/without swatch_1_pidfile, with/without swatch_w_chdir..)
does't matter.
service swatch status
swatch is not running.
atrium-ru.hackertrap.net# ps -auxww | grep swatch
root 22182 0.0 0.7 28080 13812 ?? Is 12:26AM 0:00.00
/usr/local/bin/swatch
--config-file=/usr/local/etc/swatch-hackertrap.conf
--tail-file=/var/log/eventlog --tail-args=-F --daemon
--pid-file=/var/run/swatch_1.pid (perl)
root 22252 0.0 0.1 7884 1380 p1 S+ 12:31AM 0:00.00 grep swatch
atrium-ru.hackertrap.net# cat /var/run/swatch_1.pid
22182
now, I can't blame the last person who touched files/swatch.in, because
it was a previous pr I opened that added the procname to it.
<http://www.freebsd.org/cgi/query-pr.cgi?pr=148893>
(before.. something happened..) it didn't work _without_ procname in rc
script.
The rc script itself is a little messy, and before I go to the
maintainer with a pr, I would like to get it to work in all environments.
(again, it ~seems~ to only work now if you have a very long swatch_flags
line:
doesn't matter if I use
swatch_x_flags='ljljljlkjlk "ljljlkj " lk lj '
or " \" \" (doesn't matter if I use single or double quotes)
multi line or single line.
swatch_enable="YES"
swatch_rules="1"
swatch_1_flags='--config-file=/usr/local/etc/swatch-hackertrap.conf
--tail-file="/var/log/eventlog /var/log/messages" \
--tail-args=-Fn0 --daemon --pid-file=/var/run/swatch_1.pid'
ps -auxww | grep swatch
root 22383 0.0 0.7 28080 13816 ?? Is 12:39AM 0:00.00
/usr/local/bin/swatch
--config-file=/usr/local/etc/swatch-hackertrap.conf
--tail-file=/var/log/eventlog /var/log/messages --tail-args=-Fn0
--daemon --pid-file=/var/run/swatch_1.pid (perl)
its the length of the --tail-file, or the total length of the command line:
THIS WORKS:
swatch_enable="YES"
swatch_rules="1"
swatch_1_flags='--config-file=/usr/local/etc/swatch-hackertrap.conf \
--tail-file="/var/log/eventlog /var/log/messages /var/log/test1
/var/log/test2 /var/log/test3
/var/log/test4_but_add_a_humungious_long_file_to_put_it_past_some_buffer_and_it_finally_works"
\
--tail-args=-Fn0 --daemon --pid-file=/var/run/swatch_1.pid'
service swatch status
swatch is running as pid 22595.
atrium-ru.hackertrap.net# ps -auxww | grep swatch
root 22595 0.0 0.7 28080 13812 ?? Is 12:45AM 0:00.00
/usr/local/bin/perl //.swatch_script.22591
root 22620 0.0 0.1 7884 1380 p1 S+ 12:47AM 0:00.00 grep swatch
0:00.00 /usr/local/bin/perl //.swatch_script.22591
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
>*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT Integrator
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "[email protected]"
