[syslog-ng]iptables syslog-ng logs way to big

syslog-ng@lists.balabit.hu syslog-ng@lists.balabit.hu
Fri, 17 Dec 2004 11:37:16 +0100


hi there
bit of a problem with too many logs being generated and i'm not sure what
to do. I'm using a iptables firewall setup like this:

$IPTABLES -t filter -N ACCEPTLOG
$IPTABLES -t filter -A ACCEPTLOG -j LOG --log-prefix "iptables:" --log-level\
debug
$IPTABLES -t filter -A ACCEPTLOG -j ACCEPT

the firewall is also a masquerading NAT gateway for about 50 clients. I want
to record all traffic flowing through the gateway, so along with the firewall
rules stated above i have this in my syslog-ng.conf :

destination iptables { file("/var/log/iptables"); };
filter iptables { match("^iptables:"); };
log { source(src); filter(iptables); destination(iptables); };

all very nice, except for the fact that within 24 hours the log grew to 500MB's,
which is a little too big. Of course i've configured logrotate to g-zip the
file every day which greatly reduces the size, but i'd much prefer to have
smaller logs but with the necessary information still there. Here's an example
from one client just for a simple request to port 445:

Dec 17 11:33:18 iptables:IN=eth1 OUT=eth0 SRC=192.168.1.220 DST=213.220.xxx.xxx
LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=974 DF PROTO=TCP SPT=32900 DPT=445 WINDOW=10136
RES=0x00 ACK URGP=0

this entry is repeated 10 times per second !!

i've tried different log levels in my firewall but it doesnt seem to change
anything. Would be grateful for any help.

cheers, garvald