I use an application (Risto Vaarandi's Simple Event Correlator) to grab strings from /var/log/syslog and write them to a named pipe

From sec.conf

type=Single
ptype=regexp
pattern=T(\d\d:\d\d:\d\d).*?(\S+)\s+nodewatch.*?: (.*)
desc=NodeWatch on $2 at $1
action=write /home/tocops/.tocpipe nodewatch $1 $3

[download]

And then I wrote an application (toclogd) which reads from this pipe and does useful things with what it reads https://www.skendric.com/nmgmt/console/toc/toclogd

Relevant section inserted here

[...]
{
  # Declare variables
  my $fifo;         # The pipe from which we'll read
  my $input;        # Text which SEC handed us
  my $clean;        # $input stripped of annoying characters
  my $text;         # $clean, stripped of the log name

  MAIN_LOOP:
  while (1) {

    # Open pipe
    ualarm(0);
    unless (open $fifo, '<', $pipe) {
      log_it("Cannot open $pipe: $!");
      sleep 5;
      next MAIN_LOOP;
    }

    # Give ourselves .01s to read input
    ualarm(10000);
    $input = <$fifo>;
    next MAIN_LOOP unless defined $input;
    chomp $input;

    # Process input
    alarm(0);
    next MAIN_LOOP unless $clean = strip_junk($input);
    next MAIN_LOOP unless $log   = find_log_name($clean);
    ($text) = ($clean) =~ /^\w+\s+(.*)/;
    write_line($text);
  }
}
[...]

[download]

This has worked great under RHEL derivatives for ... almost two decades now: I currently use it under Rocky 8.9, for example

However, I have started to experiment with Ubuntu (22.04 Jammy Jellyfish), and I see an odd effect

When SEC writes a couple messages in rapid success to .tocpipe, toclogd only picks up the first one

In other words, under Rocky 8.9, toclogd reads both of these messages and does something useful with both of them

2024-06-01T05:43:27.241457-07:00 rocky sec[123632]: Writing event 'nod
+ewatch 05:43:26 flem [+3]' to file '/home/tocops/.tocpipe'
2024-06-01T05:43:27.241858-07:00 rocky sec[123632]: Writing event 'nod
+ewatch 05:43:26 flem [up]' to file '/home/tocops/.tocpipe'

[download]

However, under Ubuntu, toclogd only does something useful with the first of these; it appears to miss the second

2024-06-01T05:43:26.119268-07:00 ubuntu sec[664336]: Writing event 'no
+dewatch 05:43:26 flem [+3]' to file '/home/tocops/.tocpipe'
2024-06-01T05:43:26.119887-07:00 ubuntu sec[664336]: Writing event 'no
+dewatch 05:43:26 flem [up]' to file '/home/tocops/.tocpipe'

[download]

Does this a ring a bell for anyone? What might Ubuntu be doing differently than Rhel, wrt named pipes?

Rocky 8.9:     perl-5.34.2
Ubuntu 22.04:  perl-5.34.0

[download]
--sk

In reply to reading from a named pipe by skendric

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.