Starting and Stopping psad

Initialization scripts bundled with psad are suitable for Red Hat, Fedora, Slackware, Debian, Mandrake, and Gentoo Linux systems. As with many system daemons (such as syslog and Apache), psad should normally be started and stopped via the init script:

# /etc/init.d/psad start

* Starting psad ...

[ ok ]

# /etc/init.d/psad stop

* Stopping psadwatchd ...

[ ok ]

* Stopping kmsgsd ...

[ ok ]

* Stopping psad ...

[ ok ]

5 A named pipe is a special class of file that allows two processes to communicate. The mechanism is similar to connecting the STDOUT of one process to the STDIN of another process with a pipe (|) character (e.g., cat /etc/hosts | grep localhost), but a named pipe exists persistently within the filesystem.

When psad is started via the init script, three daemons are also started: the main psad daemon, kmsgsd, and psadwatchd. The purpose of kmsgsd is to read all iptables log messages out of the /var/lib/psad/psadfifo named pipe and write them to a separate file, /var/log/psad/fwdata, for on-the-fly analysis by psad. In this way, psad is supplied with a pure data stream that exclusively contains iptables log messages.

NOTE At install time, psad reconfigures the system syslog daemon to write all kernel messages that have a priority of info (or kern.info messages, in syslog parlance) to the /var/lib/ psad/psadfifo named pipe.

The psadwatchd daemon simply makes sure that both the psad and kmsgsd daemons are running and restarts them if they are not. If psadwatchd must restart either of the other two daemons, it sends a warning email to the email address listed within the /etc/psad/psad.conf file.

Was this article helpful?

0 0

Post a comment