[syslog-ng] syslog partialy ignores the firewall filter...

Geller, Sandor (IT) Sandor.Geller at morganstanley.com
Mon Feb 11 11:11:00 CET 2008


Hi,
 
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu 
> [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of 
> eial at cs.bgu.ac.il
> Sent: Monday, February 11, 2008 10:53 AM
> To: syslog-ng at lists.balabit.hu
> Subject: [syslog-ng] syslog partialy ignores the firewall filter...
> 
> I've setup an firewall and I want to log the rejects to a 
> separate log file, I've done that but I've not been able to drop the
> messages from dmesg, here is my conf file

dmesg shows the contents of the kernel ringbuffer, this has nothing to
do with the syslog daemon

BTW your conffile could be made more efficient. Instead of matching
against every log messages one could narrow down the filtering to the
kernel facility, using a filter like this:

filter f_firewall {
	facility(kern) and match("Rejected :");
};

If you were using the log-level and log-prefix options of iptables then
a more efficient filter could be set up.

And later when you're using the final() statement then no messages would
pass to the second log stanza which has matched this filter, so
evaluating
a second filter doesn't make sense as it won't match, only takes CPU
cycles.

Regards,

Sandor
--------------------------------------------------------

NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.


More information about the syslog-ng mailing list