Logging to a specific destination
I need to log all messages from iptables, ipmasq to a particular file (say iptables.log) and to that only and nothing else. Is there a way to specifically define this, ie say that messages from this daemon should go nowhere else? i've tried - # IPMasq Messages destination ipmasq { file("/var/log/iptables.log" owner("root") group("adm") perm(0640)); }; filter f_iptables( match("iptables"); ); filter fn_iptables( not match("iptables"); ); log { source(src); filter(f_authpriv); filter(fn_iptab); destination(authlog); }; log { source(src); filter(f_syslog); filter(fn_iptab); destination(syslog); }; log { source(src); filter(f_daemon); filter(fn_iptab); destination(daemon); }; log { source(src); filter(f_kern); filter(fn_iptab); destination(kern); }; log { source(src); filter(f_lpr); filter(fn_iptab); destination(lpr); }; log { source(src); filter(f_mail); filter(fn_iptab); destination(mail); }; log { source(src); filter(f_user); filter(fn_iptab); destination(user); }; log { source(src); filter(f_uucp); filter(fn_iptab); destination(uucp); }; log { source(src); filter(f_iptab); destination(ipmasq); }; Yet all the IPMasq messages are passed top both iptables.log and /var/log/messages. All IPMasq messages are prefixed with the string "iptables" using --log-prefix iptables What am I doing wrong? Thanks, Anoop /// ________________________________________________ Everybody has something to conceal. -- Humphrey Bogart
I think the problem may be that as iptables logs under the KERN facility, the iptables logs are being directed to /var/log/messages with all of the other kernel logs. It's not a certainty, I'm taking this information from a post on the debian security list. I guess you could either just apply the f_niptab filter to the /var/log/messages destination (which i assume that you have omitted here) or just create another filter that drops all kernel messages to /var/log/messages. Of course I may just be making a complete fool out of myself. Anyone care to correct/elaborate/expand/flame? mark On Thu, Aug 12, 2004 at 01:33:38PM -0500, Anoop Rajendra wrote:
I need to log all messages from iptables, ipmasq to a particular file (say iptables.log) and to that only and nothing else. Is there a way to specifically define this, ie say that messages from this daemon should go nowhere else? i've tried -
# IPMasq Messages destination ipmasq { file("/var/log/iptables.log" owner("root") group("adm") perm(0640)); };
filter f_iptables( match("iptables"); ); filter fn_iptables( not match("iptables"); );
log { source(src); filter(f_authpriv); filter(fn_iptab); destination(authlog); }; log { source(src); filter(f_syslog); filter(fn_iptab); destination(syslog); }; log { source(src); filter(f_daemon); filter(fn_iptab); destination(daemon); }; log { source(src); filter(f_kern); filter(fn_iptab); destination(kern); }; log { source(src); filter(f_lpr); filter(fn_iptab); destination(lpr); }; log { source(src); filter(f_mail); filter(fn_iptab); destination(mail); }; log { source(src); filter(f_user); filter(fn_iptab); destination(user); }; log { source(src); filter(f_uucp); filter(fn_iptab); destination(uucp); };
log { source(src); filter(f_iptab); destination(ipmasq); };
Yet all the IPMasq messages are passed top both iptables.log and /var/log/messages.
All IPMasq messages are prefixed with the string "iptables" using --log-prefix iptables
What am I doing wrong?
Thanks, Anoop /// ________________________________________________ Everybody has something to conceal. -- Humphrey Bogart
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
participants (2)
-
Anoop Rajendra
-
markzero@logik.ath.cx