[syslog-ng]iptables syslog-ng logs way to big

Dave Johnson syslog-ng@lists.balabit.hu
Fri, 17 Dec 2004 10:38:08 -0600 

Are you logging _all_ your traffic through the firewall? 

If you have requirements to log good traffic (and/or report on it),
then try and only log initial connection setups (this is all done in
iptables configs and is out of the scope of syslog-ng).

However, to point you in the right direction--
IE: maybe try a chain that sequentially:
- connection established rules without logging
- log new connections
- allow these ports/new connections
- deny log
- deny

On Fri, 17 Dec 2004 17:14:09 +0100, Wolfgang Braun
<wolfgang.braun@gmx.de> wrote:
> Am Fr, den 17.12.2004 schrieb garvald@bluemail.ch um 11:37:
> 
> > hi there
> 
> Hi
> 
> > bit of a problem with too many logs being generated and i'm not sure what
> > to do. I'm using a iptables firewall setup like this:
> >
> > $IPTABLES -t filter -N ACCEPTLOG
> > $IPTABLES -t filter -A ACCEPTLOG -j LOG --log-prefix "iptables:" --log-level\
> > debug
> > $IPTABLES -t filter -A ACCEPTLOG -j ACCEPT
> >
> > the firewall is also a masquerading NAT gateway for about 50 clients. I want
> > to record all traffic flowing through the gateway,[...]
> 
> I do something similar but limit the amount of packets being logged by
> 
> iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j LOG
>                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> so I get only one entry (the first packet) per connection; used mainly
> to do a statistic on what ports are being knocked on.
> 
> >  [...] but i'd much prefer to have
> > smaller logs but with the necessary information still there. 
>                             ^^^^^^^^^^^^^^^^^^^^^
> Which leads to my main question:
> 
> What exactly do you do with the logged data? (If you don't mind telling)
> 
> I currently whitepaper the use of syslog-ng to build a syslog
> infrastructure (collect logs on a central loghost, dump them into a
> relational DB, get useful information out of the DB).
> The most interesting part so far is the latter, getting something useful
> out of the logs, so i'm very curious what you do with those 500MB+ per
> day.
> 
> > [...] i've tried different log levels in my firewall but it doesnt seem to change
> > anything. Would be grateful for any help.
> 
> The '--log-level debug' parameter you use specifies the priority the
> message gets tagged with, it doesn't change the behaviour of the packet
> filter in any way.
> 
> >
> > cheers, garvald
> 
> Wolfgang
> 
> --
> Wolfgang Braun <wolfgang.braun@gmx.de>, Dipl. Inform. (FH)
> gpg-key: 1024D/4B32CE55
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 
>