From owner-freebsd-ports@FreeBSD.ORG  Mon Jan 23 20:51:54 2012
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: ports@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DF4F81065674
	for <ports@freebsd.org>; Mon, 23 Jan 2012 20:51:53 +0000 (UTC)
	(envelope-from scheidell@freebsd.org)
Received: from mx1.secnap.com.ionspam.net (mx1.secnap.com.ionspam.net
	[204.89.241.253])
	by mx1.freebsd.org (Postfix) with ESMTP id 9D12F8FC0C
	for <ports@freebsd.org>; Mon, 23 Jan 2012 20:51:53 +0000 (UTC)
Received: from mx1.secnap.com.ionspam.net (mx1.secnap.com.ionspam.net
	[10.70.1.253])
	by mx1.secnap.com.ionspam.net (Postfix) with ESMTP id 0C575621C0D
	for <ports@freebsd.org>; Mon, 23 Jan 2012 15:51:53 -0500 (EST)
X-Virus-Scanned: SpammerTrap(r) VPS-1500 2.17 at mx1.secnap.com.ionspam.net
Received: from USBCTDC001.secnap.com (usbctdc001.secnap.com [10.70.1.1])
	(using TLSv1 with cipher AES128-SHA (128/128 bits))
	(No client certificate requested)
	by mx1.secnap.com.ionspam.net (Postfix) with ESMTPS id EB1F4621C05
	for <ports@freebsd.org>; Mon, 23 Jan 2012 15:51:51 -0500 (EST)
Received: from macintosh.secnap.com (10.70.3.3) by USBCTDC001.secnap.com
	(10.70.1.1) with Microsoft SMTP Server (TLS) id 14.0.722.0;
	Mon, 23 Jan 2012 15:51:51 -0500
Message-ID: <4F1DC867.4090700@freebsd.org>
Date: Mon, 23 Jan 2012 15:51:51 -0500
From: Michael Scheidell <scheidell@freebsd.org>
Organization: SECNAP Network Security Corp
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;
	rv:1.9.2.20) Gecko/20110804 Thunderbird/3.1.12
MIME-Version: 1.0
To: <ports@freebsd.org>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
Cc: 
Subject: help with swatch rc script
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jan 2012 20:51:54 -0000

It seems that every time there is a solar flare, swatch status stops 
working.

This means that service swatch stop won't work because it doesn't know 
its running, restart, nothing.  I tracked it down, and it is the size of 
the swatch_x_flags line that causes the problem.. too small, and it 
won't work!


example:

simple swatch in rc:

swatch_enable="YES"
swatch_rules="1"
swatch_1_flags="--config-file=/usr/local/etc/swatch-hackertrap.conf 
--tail-file=/var/log/eventlog --tail-args=-F --daemon 
--pid-file=/var/run/swatch_1.pid"
swatch_1_pidfile="/var/run/swatch_1.pid"
swatch_1_chdir="/var/tmp"

(with/without swatch_1_pidfile, with/without swatch_w_chdir..)

does't matter.

  service swatch status
swatch is not running.
atrium-ru.hackertrap.net# ps -auxww | grep swatch
root    22182  0.0  0.7 28080 13812  ??  Is   12:26AM   0:00.00 
/usr/local/bin/swatch 
--config-file=/usr/local/etc/swatch-hackertrap.conf 
--tail-file=/var/log/eventlog --tail-args=-F --daemon 
--pid-file=/var/run/swatch_1.pid (perl)
root    22252  0.0  0.1  7884  1380  p1  S+   12:31AM   0:00.00 grep swatch
atrium-ru.hackertrap.net# cat /var/run/swatch_1.pid
22182


now, I can't blame the last person who touched files/swatch.in, because 
it was a previous pr I opened that added the procname to it.
<http://www.freebsd.org/cgi/query-pr.cgi?pr=148893>

(before.. something happened..) it didn't work _without_ procname in rc 
script.

The rc script itself is a little messy, and before I go to the 
maintainer with a pr, I would like to get it to work in all environments.
(again, it ~seems~ to only work now if you have a very long swatch_flags 
line:

doesn't matter if I use
swatch_x_flags='ljljljlkjlk "ljljlkj " lk lj '

or " \" \" (doesn't matter if I use single or double quotes)

multi line or single line.

swatch_enable="YES"
swatch_rules="1"
swatch_1_flags='--config-file=/usr/local/etc/swatch-hackertrap.conf 
--tail-file="/var/log/eventlog /var/log/messages" \
--tail-args=-Fn0 --daemon --pid-file=/var/run/swatch_1.pid'


  ps -auxww | grep swatch
root    22383  0.0  0.7 28080 13816  ??  Is   12:39AM   0:00.00 
/usr/local/bin/swatch 
--config-file=/usr/local/etc/swatch-hackertrap.conf 
--tail-file=/var/log/eventlog /var/log/messages --tail-args=-Fn0 
--daemon --pid-file=/var/run/swatch_1.pid (perl)

its the length of the --tail-file, or the total length of the command line:

THIS WORKS:

swatch_enable="YES"
swatch_rules="1"
swatch_1_flags='--config-file=/usr/local/etc/swatch-hackertrap.conf \
--tail-file="/var/log/eventlog /var/log/messages /var/log/test1 
/var/log/test2 /var/log/test3 
/var/log/test4_but_add_a_humungious_long_file_to_put_it_past_some_buffer_and_it_finally_works" 
\
--tail-args=-Fn0 --daemon --pid-file=/var/run/swatch_1.pid'

service swatch status
swatch is running as pid 22595.
atrium-ru.hackertrap.net# ps -auxww | grep swatch
root    22595  0.0  0.7 28080 13812  ??  Is   12:45AM   0:00.00 
/usr/local/bin/perl //.swatch_script.22591
root    22620  0.0  0.1  7884  1380  p1  S+   12:47AM   0:00.00 grep swatch

0:00.00 /usr/local/bin/perl //.swatch_script.22591

-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
 >*| *SECNAP Network Security Corporation

    * Best Mobile Solutions Product of 2011
    * Best Intrusion Prevention Product
    * Hot Company Finalist 2011
    * Best Email Security Product
    * Certified SNORT Integrator