eial@cs.bgu.ac.il wrote:
ok, unfortunately, none of this has helped me what I want to do is simple: 1. I want to log all iptables rejects to a different log [Done] 2. I want all iptables reject NOT to show in messages <=== that I cant seem to do. thats what I'm trying to do but without an success
If you've already got the matching for iptables logging working, all you're missing is either the flags final (as previously mentioned in the thread) and/or the order of the log statements: Assuming your source name is 'src', and you want logging to /var/log/firewall.(YYYY)-(MM)-(DD): -First part of your conf file is your destinations: destination d_firewall { file("/var/log/firewall.$YEAR-$MONTH-$DAY" owner("root") group("adm") perm(0640)); }; -Second part of your conf file is your filter (courtesy of Sandor): filter f_firewall { facility(kern) and match("Rejected :"); }; -Third part of your conf file is the log statements. Use this one first and use flags final: log { source(src); filter(f_firewall); destination(d_firewall); flags(final); }; (all of your other "log" statements go below here, iptables messages will not get logged anywhere else). -Matt Cuttler
On Mon 11 Feb 12:11 2008 Geller Sandor (IT) wrote:
Hi,
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of eial@cs.bgu.ac.il Sent: Monday, February 11, 2008 10:53 AM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] syslog partialy ignores the firewall filter...
I've setup an firewall and I want to log the rejects to a separate log file, I've done that but I've not been able to drop the messages from dmesg, here is my conf file
dmesg shows the contents of the kernel ringbuffer, this has nothing to do with the syslog daemon
BTW your conffile could be made more efficient. Instead of matching against every log messages one could narrow down the filtering to the kernel facility, using a filter like this:
filter f_firewall { facility(kern) and match("Rejected :"); };
If you were using the log-level and log-prefix options of iptables then a more efficient filter could be set up.
And later when you're using the final() statement then no messages would pass to the second log stanza which has matched this filter, so evaluating a second filter doesn't make sense as it won't match, only takes CPU cycles.
-- --- Matt Cuttler mcuttler {at} bnl {.} gov