LD_PRELOAD technique comes in handy again

Today, my LD_PRELOAD trick, which I wrote about before (clicky) came in handy again.

A customer had an issue with an application which was logging multi-line entries via syslog to /var/log/messages. They were parsing /var/log/messages, which would be much easier if each entry was on a line by itself, but our stupid app was sending strings to syslog which contained newlines. To a human, this made them more readable, but to a machine, not so much. I’d noticed this before, but the code in this case is very old, and I suppose there are plenty of customers who’ve devised custom scripts to parse the messages as they stand, newlines and all.

Now, I could easily fix the program to omit the newlines, possibly providing some backwards compatibility switch which preserved the newlines in case some large customer had scripts which depended on this. But, this would take some time, requiring the customer to wait for a new release of the software, which would be some months from now.

Well, LD_PRELOAD to the rescue.

It’s a simple matter to write a small preloadable library which interposes itself between an application and syslog(3). This library contains one function, which overrides syslog, takes the arguments (printf style variable arguments), runs them through vsprintf, then takes that resulting string, removes the newlines, and then calls the “real” syslog (saved away in a function pointer).

Then just rename the application executable, and create a shell script with the original application’s name. The shell script invokes the application after setting LD_PRELOAD to load the new library:


LD_PRELOAD=/somewhere/libwrap_syslog.so original_app $@

Voila! The customer’s application is made to behave the way he wants, and made to behave the way he wants today with this bandaid without recompiling, without reinstalling the app, with 40 lines of code, a Makefile, and a script. Meanwhile the app can be fixed at a leisurely pace.

And if the customer happens to have other apps that use syslog in a way he doesn’t like, it’s a simple matter to modify the library to perform arbitrarily complex editing of the messages sent to sysltg, so long as the app is not statically linked.

~ by scaryreasoner on January 26, 2008.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: