Programming

Is it possible that I get all the syslog messages from /var/log/messages redirected to some FIFO as and when any new messages comes.

In exact, I need to duplicate the messages to a FIFO, the moment a new message is logged; from where another process reads and does some processing without affecting the /var/log/messages file and normal loging process.

Is this possible that we hook somehow /dev/log socket and get a copy of the messages there itself ?

I tried this (this would be the most preffered way for me) but in vein.

Otherwise is this possible using dup2() on /var/log/messages itself and redirect to some FIFO, then a child process will always read from FIFO for newer messages? My program will have the root access.

A sample C program would be the best.

Thanks in advance to everyone for any kind of advice.

this should do it.

shutdown syslogd
mv /var/log/messages /var/log/messages.old
mkfifo /var/log/messages
start process to read the /var/log/messages fifo
start syslogd

But with this approach, 'cat /var/log/messages ' won't work.

I tried creating a FIFO somewhere and then openned both. Openned FIFO in write mode and the file /var/log/messages in a read mode and then tried using dup2(FIFO_fd, message_fd).

Created another process and opened FIFO in the read mode an waited for data; didn't work out at all.

I send you a cpio file with the sources and the Makefile to produce an executable to do the job. I believe you know cpio and how to run make. The steps are:

Login as root.
Run cpio:
cpio -icdm <logck.txt
cd logck
Edit Makefile (replace EXEC = logck with the name you want, e.g.
EXEC = /usr/bin/logck)
Run make
Run the program, e.g.
/usr/bin/logck /var/log/messages >/var/log/logck.out 2>/var/log/logck.err

Note that there is no need for backgrounds or nohups, everything is controlled via signal and fork calls. Please read the sources. The default polling interval is 2 seconds, but you can increase with -s option.

HI Panos.
Thank you very much for the code.
The code is working.
But wouldn't it be a performance issue as the code is performing a lot of fopen() after it sees the file_size changes before closing and then reopening and fseek() to point to additional new data?

In the meanwhile, I had followed up the 'tail' utility code and had a kind of similar approached but used nanosleep() and then fstat() in a loop to adjudge the file_size before lseek() to point to the new data in the file.

In all your code worked to a great extent for me

Ya one another thing is that the file (was the SVR4 cpio archive having no CRC) and had a problem on my FreeBSD7 machine (I use it for multipurpose --one being a file server for me through samba connection, so all new UNIX file first go there before it goes on any other machine from my desktop).

It reported me an error like "cpio: premature end of file".
When I transfered the same to a RedHatLinux machine, it worked and extracted the directory

However the code was compiling and running on both machines but the output was taking time and strace and truss had problem attaching the executable, partially, I hope due to ignoring almost all the signal (installed earlier in the code).

Praveen,

I don't know if this is related to your problem but have you explore the /etc/syslog.conf or related settings to syslog? You can specify to a location to where you want to store the capture logs.

Cheers

Right, and that "location" can also be (1) another program, (2) another host, (3) another file which is a named pipe.

If the mkfifo didn't work for you, keep in mind, the data can be read *only* once.