[syslog-ng]kern (iptable) logs cut off
Jim Gifford
maillist@jg555.com
Wed, 7 Aug 2002 22:06:45 -0700
What are you using for your match statement for iptables. I use match("IN=")
with no problem.
----- Original Message -----
From: "Caylan Van Larson" <caylan@cs.und.edu>
To: <syslog-ng@lists.balabit.hu>
Sent: Wednesday, August 07, 2002 10:03 PM
Subject: [syslog-ng]kern (iptable) logs cut off
> Greetings,
>
> This is on a RedHat 7.3 Box.
>
> We were using the latest syslog-ng rpm from redhat and we noticed that
> upon migration from syslogd to syslog-ng our iptable logs were getting
> mangled.
>
> Here is an exert from syslogd logging of iptables (/var/log/messages):
>
> Aug 7 23:41:47 smack kernel: IPTABLES UDP-IN: IN=eth1 OUT=
MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.217.37
DST=134.129.212.30 LEN=240 TOS=0x00 PREC=0x00 TTL=127 ID=13570 PROTO=UDP
SPT=138 DPT=138 LEN=220
> Aug 7 23:41:48 smack kernel: IPTABLES TCP-IN: IN=eth1 OUT=
MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.201.29
DST=134.129.212.30 LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=10095 DF PROTO=TCP
SPT=4997 DPT=53 WINDOW=32120 RES=0x00 SYN URGP=0
> Aug 7 23:41:48 smack kernel: IPTABLES UDP-IN: IN=eth1 OUT=
MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.220.175
DST=134.129.212.30 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=12752 PROTO=UDP
SPT=137 DPT=137 LEN=58
> Aug 7 23:41:49 smack kernel: IPTABLES UDP-IN: IN=eth1 OUT=
MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.220.175
DST=134.129.212.30 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=13008 PROTO=UDP
SPT=137 DPT=137 LEN=58
> Aug 7 23:41:49 smack kernel: IPTABLES UDP-IN: IN=eth1 OUT=
MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.220.175
DST=134.129.212.30 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=13264 PROTO=UDP
SPT=137 DPT=137 LEN=58
>
> Very nice as you can see.
>
> Now, we would love to use syslog-ng but this is from syslog-ng
(/var/log/kern):
>
> Aug 7 23:38:17 smack IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:
> Aug 7 23:38:17 smack IPTABLES ICMP-IN: IN=eth1 OUT= MAC=00:03:
> Aug 7 23:38:19 smack IPTABLES ICMP-IN: IN=eth1 OUT= MAC=00:03:
> Aug 7 23:38:20 smack IPTABLES TCP-IN: IN=eth1 OUT=
MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=24.220.215.146
DST=134.129.212.30 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=20216 DF PROTO=TCP
SPT=2406 DPT=53 WINDOW=2144 RES=0x00 SYN URGP=0
> Aug 7 23:38:20 smack IPTABLES ICMP-IN: IN=eth1 OUT= MAC=
> Aug 7 23:38:23 smack IPTABLES ICMP-IN: IN=eth1 OUT=
MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=192.36.148.20
DST=134.129.212.30 LEN=52 TOS=0x00 PREC=0x00 TTL=5 ID=6179 PROTO=ICMP TYPE=8
CODE=0 ID=22608 SEQ=17
> Aug 7 23:38:23 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC=
> Aug 7 23:38:24 smack IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:03:
> Aug 7 23:38:25 smack IPTABLES TCP-IN: IN=eth1 OUT=
MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.201.29
DST=134.129.212.30 LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=6213 DF PROTO=TCP
SPT=1030 DPT=53 WINDOW=32120 RES=0x00 SYN URGP=0
> Aug 7 23:38:25 smack IPTABLES ICMP-IN: IN=eth1 OUT=
MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=192.36.148.20
DST=134.129.212.30 LEN=52 TOS=0x00 PREC=0x00 TTL=243 ID=6479 PROTO=ICMP
TYPE=8 CODE=0 ID=22608 SEQ=255
>
> At the same time I find this!!! Could this be the other part of whats
missing above?
>
> [root@smack log]# tail -f user
> Aug 7 23:42:26 smack TO=0x00 PREC=0x00 TTL=127 ID=14587 PROTO=UDP SPT=137
DPT=137 LEN=58
> Aug 7 23:42:37 smack C=UDPT=1
> Aug 7 23:42:39 smack 0TL=127 I5998 PROTO=UDP SPT=137 DPT=137 L8
> Aug 7 23:42:43 smack 0 PREC=0 TTL=127 ID=18027 PROTO=UDP SPT=17 D37 N=
> Aug 7 23:42:57 smack =x00L=127D=1826 PROTO=UDP SPT=137 DPT=137N=
> Aug 7 23:43:05 smack =0x00 TTL7 I14 DF
> Aug 7 23:43:22 smack O=TCP SPT=4481 DPT=53 WINDOW=16384 RES=0x00 SYN U
> Aug 7 23:43:24 smack LEN=78 =0x00 PREC=0x00 TTL=127 ID=21968 PROTDP
SPT=137 DPT=137 LEN=58
> Aug 7 23:43:28 smack T=138 DPT
> Aug 7 23:43:31 smack T53 W
>
> Not to mention some other output going to /var/log/bootup. This output
> consists of iptable startup information...
>
> I have tried every combo of syslog-ng klogd imaginable. I have tried to
> tinker with the global src using pipes and files for the kernel logging
> but that got nowhere... Same results.
>
> This is experienced using:
> libol-0.3.3
> syslog-ng-1.5.19
>
> syslog-ng-1.5.17-1.i386.rpm
>
> The command dmesg gives nice iptables output. So I know it is not
> iptablse fault. Iptables is configured to log at level 5 for normal
> dropped packets and log level 5 for other more serious packets.
>
> Below is my syslog-ng.conf file.
>
> Thank you for any help!!! I need to work on the firewall and it is hard
> with no logs.. :(
>
> Thanks again,
>
>
>
> Caylan Van Larson
>
>
>
> --SNIP
> Here is my syslog-ng.conf:
>
> # This file should be compatible with the out-of-the-box
> # /etc/syslog.conf on Red Hat Linux
> # global options
> #
> options { use_dns(yes);
> use_fqdn(no);
> use_time_recvd(no);
> chain_hostnames(no);
> mark(0);
> sync(0);
> };
>
> # sources
> #
> source s_all { internal(); unix-stream("/dev/log"); file("/proc/kmsg"); };
>
> # facility filters
> #
> filter f_authpriv { facility(authpriv); };
> filter f_auth { facility(auth); };
> filter f_boot { facility(local7); };
> filter f_2511 { facility(local5); };
> filter f_6509-1-log { facility(local4); };
> filter f_6509-2-log { facility(local3); };
> filter f_cron { facility(cron); };
> filter f_kern { facility(kern); };
> filter f_user { facility(user); };
> filter f_lpr { facility(lpr); };
> filter f_mail { facility(mail); };
> filter f_daemon { facility(daemon); };
> filter f_messages { priority(info..emerg)
> and not facility(mail, news, authpriv, cron, local1,
> local2, local3, local4, local5, local6);
> };
> filter f_news { facility(news); };
>
> # priority filters
> #
> filter f_emerg { priority(emerg); };
> filter f_crit { priority(crit..emerg); };
> filter f_crit_only { priority(crit); };
> filter f_err { priority(err..emerg); };
> filter f_err_only { priority(err); };
> filter f_warn { priority(warning..emerg); };
> filter f_notice { priority(notice..emerg); };
> filter f_info { priority(info..emerg); };
> filter f_debug { priority(debug..emerg); };
>
> # host filters
> #
> filter f_smack { host(smack); };
>
> #destination filters
> #
> # *network*
> destination d_tcp { tcp("134.129.212.33"); };
> destination d_udp { udp("134.129.212.33"); };
> # *everyone*
> destination d_all { usertty("*"); };
> # *console*
> destination d_console { file("/dev/console"); };
> # *boot*
> destination d_smacboot { file("/var/log/bootlog"); };
> # *cron*
> destination d_smaccron { file("/var/log/cron"); };
> # *mail*
> destination d_smacmail { file("/var/log/maillog"); };
> # *messages*
> destination d_smacmsg { file("/var/log/messages"); };
> # *secure (auth & authpriv)*
> destination d_smacsec { file("/var/log/secure"); };
> # *user*
> destination d_smacuser { file("/var/log/user"); };
> # *kern*
> destination d_smackern { file("/var/log/kern"); };
> # *daemon*
> destination d_smacdaemon { file("/var/log/daemon"); };
> # *spool (lpr)*
> destination d_smacspool { file("/var/log/spooler"); };
>
>
>
> #Everyone gets emergency messages
> log { source(s_all); filter(f_emerg); destination(d_all); };
>
> #Log messages from Smack
> log { source(s_all); filter(f_cron); filter(f_debug); filter(f_smack);
> destination(d_smaccron); destination(d_tcp); };
> log { source(s_all); filter(f_authpriv); filter(f_debug); filter(f_smack);
> destination(d_smacsec); destination(d_tcp); };
> log { source(s_all); filter(f_mail); filter(f_warn); filter(f_smack);
> destination(d_smacmail); destination(d_tcp); };
> log { source(s_all); filter(f_boot); filter(f_debug);
> filter(f_smack);destination(d_smacboot); destination(d_tcp); };
>
> # fw-iptables logs at NOTICE <5> (fragments/unknown protocols) and INFO
> <6> (known udp/tcp/icmp)
> # This line will log ALL of kern locally
> log { source(s_all); filter(f_kern); filter(f_messages); filter(f_debug);
> filter(f_smack); destination(d_smackern); };
>
> # This line will only remotely log NOTICE <5> and above (5,4,3,2,1,0)
> log { source(s_all); filter(f_kern); filter(f_messages); filter(f_notice);
> filter(f_smack); destination(d_tcp); };
>
> log { source(s_all); filter(f_user); filter(f_debug); filter(f_smack);
> destination(d_smacuser); destination(d_tcp); };
> log { source(s_all); filter(f_lpr); filter(f_debug); filter(f_smack);
> destination(d_smacspool); destination(d_tcp); };
> log { source(s_all); filter(f_daemon); filter(f_notice); filter(f_smack);
> destination(d_smacdaemon); destination(d_tcp); };
> --SNAP
>
>
> Whew Thanks,
>
> Caylan Van Larson
> Unix Administrator - Systems Team Member
> University of North Dakota (Aerospace College)
> caylan@cs.und.edu
> 701-777-6151 (work)
>
>
> _______________________________________________
> syslog-ng maillist - syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
>