What about placing the tail -f command inside a while true loop, e.g. while true do tail -f <filename> done then, add this script to /etc/inittab (or equivalent, depending on flavor) marking it to respawn. If the tail process fails, the while loop will auto-restart it. If the while loop process fails, /etc/inittab will respawn it. _________________________________________ Lawrence Garvin Principal/CEO Onsite West Houston http://onsite.eforest.net ICQ#: 38440195 _________________________________________ -----Original Message----- From: Ben Boulanger [mailto:benat_private] Sent: Wednesday, November 06, 2002 1:21 PM To: John Fitzgerald Cc: forensicsat_private Subject: RE: Remote Syslogd On Wed, 6 Nov 2002, John Fitzgerald wrote: > ...seeing you mention logtail I guess you could use tail -f from a > process outside the chrooted area (i.e a process that even a compromised > syslogd can't touch) and pipe that through to a secured area on the > system. You certainly could. The only thing that tail doesn't provide is some way of recovering if the process dies, gets killed, or otherwise gets interrupted. Logtail keeps track of where it left off, which is really the only reason to -not- use tail. Otherwise, if you have a way of protecting against such things, tail -f, a named pipe or even a socket would do the trick. Ben ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Nov 08 2002 - 18:21:36 PST