syslog partialy ignores the firewall filter...
I've setup an firewall and I want to log the rejects to a separate log file, I've done that but I've not been able to drop the messages from dmesg, here is my conf file # $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo,v 1.7 2007/08/02 04:52:18 mr_bones_ Exp $ # # Syslog-ng default configuration file for Gentoo Linux # contributed by Michael Sterrett options { chain_hostnames(off); sync(0); # The default action of syslog-ng 1.6.0 is to log a STATS line # to the file every 10 minutes. That's pretty ugly after a while. # Change it to every 12 hours so you get a nice daily update of # how many messages syslog-ng missed (0). stats(43200); }; source src { unix-stream("/dev/log" max-connections(256)); internal(); file("/proc/kmsg"); }; destination messages { file("/var/log/messages"); }; #firewall filter f_firewall { match("Rejected: "); }; filter f_no_firewall { not match("Rejected: "); }; destination firewall { file("/var/log/iptables.log" owner("root") group("adm") perm(0640)); }; log { source(src); filter(f_firewall); destination(firewall); flags(final); }; # By default messages are logged to tty12... destination console_all { file("/dev/tty12"); }; # ...if you intend to use /dev/console for programs like xconsole # you can comment out the destination line above that references /dev/tty12 # and uncomment the line below. #destination console_all { file("/dev/console"); }; log { source(src); filter(f_no_firewall); destination(messages); }; log { source(src); destination(console_all); }; how can I fix it? thanks
Hi,
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of eial@cs.bgu.ac.il Sent: Monday, February 11, 2008 10:53 AM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] syslog partialy ignores the firewall filter...
I've setup an firewall and I want to log the rejects to a separate log file, I've done that but I've not been able to drop the messages from dmesg, here is my conf file
dmesg shows the contents of the kernel ringbuffer, this has nothing to do with the syslog daemon BTW your conffile could be made more efficient. Instead of matching against every log messages one could narrow down the filtering to the kernel facility, using a filter like this: filter f_firewall { facility(kern) and match("Rejected :"); }; If you were using the log-level and log-prefix options of iptables then a more efficient filter could be set up. And later when you're using the final() statement then no messages would pass to the second log stanza which has matched this filter, so evaluating a second filter doesn't make sense as it won't match, only takes CPU cycles. Regards, Sandor -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
ok, unfortunately, none of this has helped me what I want to do is simple: 1. I want to log all iptables rejects to a different log [Done] 2. I want all iptables reject NOT to show in messages <=== that I cant seem to do. thats what I'm trying to do but without an success On Mon 11 Feb 12:11 2008 Geller Sandor (IT) wrote:
Hi,
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of eial@cs.bgu.ac.il Sent: Monday, February 11, 2008 10:53 AM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] syslog partialy ignores the firewall filter...
I've setup an firewall and I want to log the rejects to a separate log file, I've done that but I've not been able to drop the messages from dmesg, here is my conf file
dmesg shows the contents of the kernel ringbuffer, this has nothing to do with the syslog daemon
BTW your conffile could be made more efficient. Instead of matching against every log messages one could narrow down the filtering to the kernel facility, using a filter like this:
filter f_firewall { facility(kern) and match("Rejected :"); };
If you were using the log-level and log-prefix options of iptables then a more efficient filter could be set up.
And later when you're using the final() statement then no messages would pass to the second log stanza which has matched this filter, so evaluating a second filter doesn't make sense as it won't match, only takes CPU cycles.
Regards,
Sandor --------------------------------------------------------
NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
eial@cs.bgu.ac.il wrote:
ok, unfortunately, none of this has helped me what I want to do is simple: 1. I want to log all iptables rejects to a different log [Done] 2. I want all iptables reject NOT to show in messages <=== that I cant seem to do. thats what I'm trying to do but without an success
If you've already got the matching for iptables logging working, all you're missing is either the flags final (as previously mentioned in the thread) and/or the order of the log statements: Assuming your source name is 'src', and you want logging to /var/log/firewall.(YYYY)-(MM)-(DD): -First part of your conf file is your destinations: destination d_firewall { file("/var/log/firewall.$YEAR-$MONTH-$DAY" owner("root") group("adm") perm(0640)); }; -Second part of your conf file is your filter (courtesy of Sandor): filter f_firewall { facility(kern) and match("Rejected :"); }; -Third part of your conf file is the log statements. Use this one first and use flags final: log { source(src); filter(f_firewall); destination(d_firewall); flags(final); }; (all of your other "log" statements go below here, iptables messages will not get logged anywhere else). -Matt Cuttler
On Mon 11 Feb 12:11 2008 Geller Sandor (IT) wrote:
Hi,
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of eial@cs.bgu.ac.il Sent: Monday, February 11, 2008 10:53 AM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] syslog partialy ignores the firewall filter...
I've setup an firewall and I want to log the rejects to a separate log file, I've done that but I've not been able to drop the messages from dmesg, here is my conf file
dmesg shows the contents of the kernel ringbuffer, this has nothing to do with the syslog daemon
BTW your conffile could be made more efficient. Instead of matching against every log messages one could narrow down the filtering to the kernel facility, using a filter like this:
filter f_firewall { facility(kern) and match("Rejected :"); };
If you were using the log-level and log-prefix options of iptables then a more efficient filter could be set up.
And later when you're using the final() statement then no messages would pass to the second log stanza which has matched this filter, so evaluating a second filter doesn't make sense as it won't match, only takes CPU cycles.
-- --- Matt Cuttler mcuttler {at} bnl {.} gov
participants (3)
-
eial@cs.bgu.ac.il
-
Geller, Sandor (IT)
-
Matt Cuttler