I can't comment on the /var/log/kern or /var/log/bootup stuff, as I simply have ALL logs go to a single file and do post-processing on it nightly which filters, splits, etc., and so far I have not had any problems with it failing to log to the logfile at any point. Because I'm sending all logs to a single destination (actually multiple destinations, but the point here is that ALL logs go to them), I don't set the log-level in my iptables statements, but I do set the log prefix: iptables -A INPUT -j LOG --log-prefix "$pkey input drop cleanup " iptables -A INPUT -j DROP So perhaps the log-prefix option could be the cause of the problem since we're both using them. If I get some time this afternoon I'll remove those from a test firewall and see if it continues to mangle/truncate the iptables log entries. --- Dustin D. Trammell Information Security Specialist Penson Financial Services, Inc. -----Original Message----- From: Caylan Van Larson [mailto:caylan@cs.und.edu] Sent: Wednesday, August 14, 2002 10:57 To: Dustin Trammell Cc: 'syslog-ng@lists.balabit.hu' Subject: RE: [syslog-ng] logging pauses and log entry truncation Also, I would like to add that syslog-ng stops appending to /var/log/kern after about 20k of data. It just stops, nothing. I restart syslog-ng and here is what happens: /var/log/bootup Aug 14 10:49:44 smack syslog-ng: klogd shutdown succeeded Aug 14 10:49:48 smack syslog-ng: syslog-ng startup succeeded Aug 14 10:49:48 smack syslog-ng: klogd startup succeeded (never says anything about syslog-ng shutdown ducceeded, is this normal?) /var/log/kern Populated for about 30k of data, truncated. I would also like to know why when I restart iptables it puts any output from the scripts to /var/log/bootup??? For instance, the iptables init script calls a firewall script that runs a bunch of iptable commands. This script also outputs some settings: --SNIP (from /var/log/bootup on iptables restart) Aug 14 10:50:53 smack fw-iptables: Serving port 22 (tcp) only to 134.129.212.0/24 134.129.217.128/26 Aug 14 10:50:53 smack fw-iptables: Serving port 113 (tcp) only to 134.129.212.0/24 Aug 14 10:50:53 smack fw-iptables: Serving port 515 (tcp) to the world. Aug 14 10:50:53 smack fw-iptables: Serving needs client as well: Client may access port 9100 (tcp) anywhere. Aug 14 10:50:53 smack fw-iptables: Enabling DNS Server Communications: Aug 14 10:50:53 smack fw-iptables: Serving port 53 (udp) to the world. Aug 14 10:50:53 smack fw-iptables: Serving needs client as well: Client may access port 53 (udp) anywhere. Aug 14 10:50:53 smack fw-iptables: Serving port 53 (tcp) Zone Transfers to 134.129.217.44 Aug 14 10:50:53 smack fw-iptables: Serving port 53 (tcp) Zone Transfers to 134.129.217.46 Aug 14 10:50:53 smack fw-iptables: Serving port 67 (udp) to the world. Aug 14 10:50:53 smack fw-iptables: Serving port 58884 (tcp) only to 134.129.212.0/24 Aug 14 10:50:53 smack fw-iptables: Client may access port 515 (tcp) only on 134.129.212.0/24 Aug 14 10:50:53 smack fw-iptables: Client may access port 389 (tcp) only on 134.129.212.0/24 Aug 14 10:50:53 smack fw-iptables: Client may access port 636 (tcp) only on 134.129.212.0/24 Aug 14 10:50:53 smack fw-iptables: Client may access port 37 (tcp) only on 134.129.212.0/24 Aug 14 10:50:53 smack fw-iptables: Client may access port 514 (tcp) only on 134.129.212.0/24 Aug 14 10:50:53 smack fw-iptables: Client may access port 514 (udp) only on 134.129.212.0/24 Aug 14 10:50:53 smack fw-iptables: Client may access port 143 (tcp) only on 134.129.212.0/24 Aug 14 10:50:53 smack fw-iptables: Client may access port 993 (tcp) only on 134.129.212.0/24 Aug 14 10:50:53 smack fw-iptables: Client may access port 110 (tcp) only on 134.129.212.0/24 Aug 14 10:50:53 smack fw-iptables: Client may access port 995 (tcp) only on 134.129.212.0/24 Aug 14 10:50:53 smack fw-iptables: Client may access port 58884 (tcp) only on 134.129.212.0/24 Aug 14 10:50:53 smack fw-iptables: Client may access port 23 (tcp) anywhere. Aug 14 10:50:53 smack fw-iptables: Client may access port 113 (tcp) anywhere. --SNAP Also, it may help to know that I am running all of my iptables LOG commands with the --log-level 6 and with custom --log-prefix "PREFIX" like this: --SNIP # Any tcp not already allowed is logged and then dropped. iptables -A INPUT -i $IFACE -p tcp -j LOG --log-level 6 --log-prefix "IPTABLES TCP-IN: " iptables -A INPUT -i $IFACE -p tcp -j DROP iptables -A OUTPUT -o $IFACE -p tcp -j LOG --log-level 6 --log-prefix "IPTABLES TCP-OUT: " iptables -A OUTPUT -o $IFACE -p tcp -j DROP --SNAP Are you adding these loglevel and logprefix switches also? Could this possibly be the problem? If iptables is adding these prefixes to late? I dont know :P Thanks, Caylan