Is it possible to move the suhosin patch's logs from the syslog to a dedicated file ?
Cacti is called every 5 min by a cron and try to set the memory limit to -1 So, each time Cacti is called, I've 2 messages in the syslog.
ALERT - script tried to disable memory_limit by setting it to a negative value -1 bytes which is not allowed (attacker 'REMOTE_ADDR not set', file 'unknown')
Thank you for your help
Yes, you can set this up, multiple ways:
If you want to keep using your system's syslog:
There's suhosin.log.syslog.facility ini setting, you can choose
one of the USER facilities that no other application use on your
system.
Most syslog daemons have various filtering capabilities to decide where a message should be sent. You will have to check what your system is running, there are many popular syslog daemons are rsyslog, dsyslog, syslog-ng. They all have their own configuration formats, but they all should be able to filter based on facility. In most of them, you can also filter on program name or match patterns against the log message itself.
In a sysklogd, rsyslogd, dsyslog style config file this would look something like when matching facility:
local5.* /var/log/suhoshin_alert.log
Or with regexp on the message:
*.* /var/log/suhoshin_alert.log
:msg, regex, "^ALERT -"
If you just want to ignore these messages, you could use the ~ log target to discard messages. (just be careful what your rules match)
You can use custom logging script
There's a suhosin.log.script.name and suhosin.log.phpscript.name configuration options. You can specify a script file with both of them, the php one will have the information as variables while the other one will get it as arguments and you an log the message to wherever and however you choose.
You will have to change the suhosin.log.script or suhosin.log.phpscript options too to indicate what type of messages should be sent to the scripts, see the table here.
However, it sounds like fixing your problem (allowing memory limit change, or not changing the memory limit) would be preferable.