--- syslog-ng-3.0.1/src/misc.c~	2008-11-05 20:57:42.000000000 +0100
+++ syslog-ng-3.0.1/src/misc.c	2009-01-16 11:43:30.896633603 +0100
@@ -274,7 +274,7 @@
   struct passwd *pw;
 
   *uid = 0;
-  if (*user)
+  if (!*user)
     return FALSE;
     
   pw = getpwnam(user);
commit 11f8d45b016107a686dbfa29497960ae3f6145ac
Author: Balazs Scheidler <bazsi@balabit.hu>
Date:   Fri Jan 16 14:44:53 2009 +0100

    [config parser] "syslog" became a reserved word, make it possible to use that as a facility name
    
    	In syslog-ng 3.0, "syslog" became a reserved word, thus the facility()
    	filter couldn't use it as name for the facility named syslog.
    
    	To avoid having to quote this word, I added a kludge to the
    	config grammar, to make it recognize syslog as a facility name
    	based on context.

diff --git a/src/cfg-grammar.y b/src/cfg-grammar.y
index c40b7fb..d54ba8f 100644
--- a/src/cfg-grammar.y
+++ b/src/cfg-grammar.y
@@ -277,6 +277,7 @@ cfg_check_template(LogTemplate *template)
 
 %type	<cptr> string
 %type	<cptr> string_or_number
+%type	<cptr> facility_string
 %type   <ptr> string_list
 %type   <ptr> string_list_build
 
@@ -464,7 +465,7 @@ source_affile_option
               affile_sd_set_pri_level(last_driver, level); 
             free($3);
           }
-        | KW_FACILITY '(' string ')'    
+        | KW_FACILITY '(' facility_string ')'
 
           {
             int facility = -1;
@@ -1305,7 +1306,7 @@ filter_fac_list
 	;
 
 filter_fac
-	: string				
+	: facility_string
 	  { 
 	    int n = syslog_name_lookup_facility_by_name($1);
 	    if (n == -1)
@@ -1499,6 +1500,11 @@ string_list_build
         |					{ $$ = NULL; }
         ;
 
+facility_string
+        : string                                { $$ = $1; };
+        | KW_SYSLOG                             { $$ = strdup("syslog"); }
+        ;
+
 %%
 
 extern int linenum;
commit ef5eb95d26fcfe3746b78bba8d39cfa2cdb9eeeb
Author: Balazs Scheidler <bazsi@balabit.hu>
Date:   Tue Dec 30 15:22:00 2008 +0100

    [LogReader] only assume that a file was moved if the size of the file is non-zero
    
    If an external logrotate program is used to rotate a logfile, a
    small race still exists when using syslog-ng to read that logfile,
    as described by Evan Rempel:
    
    "
    1. Application is writing to log file named "A".
    2. External log rotation renames "A" to "A.1"
    3. External log rotation touches/creates file named "A" and sets appropriate
        permissions.
    4. Internal timer of syslog-ng is triggered by follow_freq() setting. Syslog-ng will
        switch to the new file "A" because it exists, even though it was created only
        milliseconds earlier.
    5. log rotation signals the application to switch log files (reload or restart).
    6. Application flushes log buffers to current file which is now A.1, but syslog-ng
        is no longer reading this file.
    7. Application closes current log file "A.1" and opens new log file "A".
    
    This sequence will result in the last buffer flush (step 6) from the application to
    be missed by syslog-ng.
    "
    
    This patch makes syslog-ng to switch to the new log file if it already
    received some data.

diff --git a/src/logreader.c b/src/logreader.c
index f9567ff..40e2ae7 100644
--- a/src/logreader.c
+++ b/src/logreader.c
@@ -167,7 +167,7 @@ log_reader_fd_check(GSource *source)
         
       if (self->reader->follow_filename && stat(self->reader->follow_filename, &followed_st) != -1)
         {
-          if (fd < 0 || st.st_ino != followed_st.st_ino)
+          if (fd < 0 || (st.st_ino != followed_st.st_ino && st.st_size > 0))
             {
               msg_trace("log_reader_fd_check file moved eof",
                         evt_tag_int("pos", pos),
commit 8ad0edb1e4198bbf657708d07360bbac8b30b55a
Author: Balazs Scheidler <bazsi@balabit.hu>
Date:   Thu Feb 5 11:26:18 2009 +0100

    [affile] validate file type before opening
    
    report an error if a file is opened using the pipe() driver, OR a
    fifo is opened using the file() driver. named pipes should really be
    driven by the pipe() driver.

diff --git a/src/affile.c b/src/affile.c
index f9264a7..e582a5d 100644
--- a/src/affile.c
+++ b/src/affile.c
@@ -45,6 +45,7 @@ affile_open_file(gchar *name, gint flags,
                  gboolean create_dirs, gboolean privileged, gboolean is_pipe, gint *fd)
 {
   cap_t saved_caps;
+  struct stat st;
 
   if (strstr(name, "../") || strstr(name, "/..")) 
     {
@@ -63,6 +64,23 @@ affile_open_file(gchar *name, gint flags,
       g_process_cap_modify(CAP_DAC_READ_SEARCH, TRUE);
       g_process_cap_modify(CAP_SYS_ADMIN, TRUE);
     }
+  if (stat(name, &st) >= 0)
+    {
+      if (is_pipe && !S_ISFIFO(st.st_mode))
+        {
+          msg_error("Error opening pipe, underlying file is not a FIFO, it should be used by file()",
+                    evt_tag_str("filename", name),
+                    NULL);
+          goto exit;
+        }
+      else if (!is_pipe && S_ISFIFO(st.st_mode))
+        {
+          msg_error("Error opening file, underlying file is a FIFO, it should be used by pipe()",
+                    evt_tag_str("filename", name),
+                    NULL);
+          goto exit;
+        }
+    }
   *fd = open(name, flags, mode);
   if (is_pipe && *fd < 0 && errno == ENOENT)
     {
@@ -82,6 +100,7 @@ affile_open_file(gchar *name, gint flags,
       if (mode != -1)
         fchmod(*fd, mode);
     }
+ exit:
   if (privileged)
     {
       g_process_cap_restore(saved_caps);