Am Fr, den 17.12.2004 schrieb garvald@bluemail.ch um 11:37:
hi there
Hi
bit of a problem with too many logs being generated and i'm not sure what to do. I'm using a iptables firewall setup like this:
$IPTABLES -t filter -N ACCEPTLOG $IPTABLES -t filter -A ACCEPTLOG -j LOG --log-prefix "iptables:" --log-level\ debug $IPTABLES -t filter -A ACCEPTLOG -j ACCEPT
the firewall is also a masquerading NAT gateway for about 50 clients. I want to record all traffic flowing through the gateway,[...]
I do something similar but limit the amount of packets being logged by iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j LOG ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ so I get only one entry (the first packet) per connection; used mainly to do a statistic on what ports are being knocked on.
[...] but i'd much prefer to have smaller logs but with the necessary information still there. ^^^^^^^^^^^^^^^^^^^^^ Which leads to my main question:
What exactly do you do with the logged data? (If you don't mind telling) I currently whitepaper the use of syslog-ng to build a syslog infrastructure (collect logs on a central loghost, dump them into a relational DB, get useful information out of the DB). The most interesting part so far is the latter, getting something useful out of the logs, so i'm very curious what you do with those 500MB+ per day.
[...] i've tried different log levels in my firewall but it doesnt seem to change anything. Would be grateful for any help.
The '--log-level debug' parameter you use specifies the priority the message gets tagged with, it doesn't change the behaviour of the packet filter in any way.
cheers, garvald
Wolfgang -- Wolfgang Braun <wolfgang.braun@gmx.de>, Dipl. Inform. (FH) gpg-key: 1024D/4B32CE55