-
A log monitor specified in /etc/syslog.conf runs
with the same uid as syslogd (normally root). Be careful of potential buffer
overflows, special characters, format string exploits!
-
Monitor will not be started until it is fed a message
-
Monitor is started via sh(1). Avoid overhead via exec
-
If monitor exits, it is started again at next message
-
Monitor receives messages via stdin; stdout and stderr are
redirected to /dev/null at startup
-
If syslogd receives a SIGHUP, it will close the pipe to monitor's
stdin. If monitor does not exit after 60 seconds, syslogd will send SIGTERM.
Stateful log monitors should shut down and preserve state when pipe is
closed. They probably should not attempt to catch SIGTERM.
|