[syslog-ng]iptables syslog-ng logs way to big
Wolfgang Braun
syslog-ng@lists.balabit.hu
Fri, 17 Dec 2004 17:14:09 +0100
Am Fr, den 17.12.2004 schrieb garvald@bluemail.ch um 11:37:
> hi there
Hi
> bit of a problem with too many logs being generated and i'm not sure what
> to do. I'm using a iptables firewall setup like this:
>
> $IPTABLES -t filter -N ACCEPTLOG
> $IPTABLES -t filter -A ACCEPTLOG -j LOG --log-prefix "iptables:" --log-level\
> debug
> $IPTABLES -t filter -A ACCEPTLOG -j ACCEPT
>
> the firewall is also a masquerading NAT gateway for about 50 clients. I want
> to record all traffic flowing through the gateway,[...]
I do something similar but limit the amount of packets being logged by
iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j LOG
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
so I get only one entry (the first packet) per connection; used mainly
to do a statistic on what ports are being knocked on.
> [...] but i'd much prefer to have
> smaller logs but with the necessary information still there.
^^^^^^^^^^^^^^^^^^^^^
Which leads to my main question:
What exactly do you do with the logged data? (If you don't mind telling)
I currently whitepaper the use of syslog-ng to build a syslog
infrastructure (collect logs on a central loghost, dump them into a
relational DB, get useful information out of the DB).
The most interesting part so far is the latter, getting something useful
out of the logs, so i'm very curious what you do with those 500MB+ per
day.
> [...] i've tried different log levels in my firewall but it doesnt seem to change
> anything. Would be grateful for any help.
The '--log-level debug' parameter you use specifies the priority the
message gets tagged with, it doesn't change the behaviour of the packet
filter in any way.
>
> cheers, garvald
Wolfgang
--
Wolfgang Braun <wolfgang.braun@gmx.de>, Dipl. Inform. (FH)
gpg-key: 1024D/4B32CE55