[syslog-ng] syslog partialy ignores the firewall filter...

[Matt Cuttler]

eial at cs.bgu.ac.il wrote:
> ok, unfortunately, none of this has helped me
> what I want to do is simple:
> 1. I want to log all iptables rejects to a different log [Done]
> 2. I want all iptables reject NOT to show in messages <=== that I cant seem to do.
> thats what I'm trying to do but without an success  
>
>   

If you've already got the matching for iptables logging working, all 
you're missing is either the flags final (as previously mentioned in the 
thread) and/or the order of the log statements:

Assuming your source name is 'src', and you want logging to 
/var/log/firewall.(YYYY)-(MM)-(DD):


-First part of your conf file is your destinations:
destination d_firewall { file("/var/log/firewall.$YEAR-$MONTH-$DAY" 
owner("root") group("adm") perm(0640)); };

-Second part of your conf file is your filter (courtesy of Sandor):
filter f_firewall { facility(kern) and match("Rejected :"); };

-Third part of your conf file is the log statements. Use this one first 
and use flags final:
log { source(src); filter(f_firewall); destination(d_firewall); 
flags(final); };

(all of your other "log" statements go below here, iptables messages 
will not get logged anywhere else).


-Matt Cuttler

> On Mon 11 Feb 12:11 2008 Geller  Sandor (IT) wrote:
>   
>> Hi,
>>  
>>     
>>> -----Original Message-----
>>> From: syslog-ng-bounces at lists.balabit.hu 
>>> [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of 
>>> eial at cs.bgu.ac.il
>>> Sent: Monday, February 11, 2008 10:53 AM
>>> To: syslog-ng at lists.balabit.hu
>>> Subject: [syslog-ng] syslog partialy ignores the firewall filter...
>>>
>>> I've setup an firewall and I want to log the rejects to a 
>>> separate log file, I've done that but I've not been able to drop the
>>> messages from dmesg, here is my conf file
>>>       
>> dmesg shows the contents of the kernel ringbuffer, this has nothing to
>> do with the syslog daemon
>>
>> BTW your conffile could be made more efficient. Instead of matching
>> against every log messages one could narrow down the filtering to the
>> kernel facility, using a filter like this:
>>
>> filter f_firewall {
>> 	facility(kern) and match("Rejected :");
>> };
>>
>> If you were using the log-level and log-prefix options of iptables then
>> a more efficient filter could be set up.
>>
>> And later when you're using the final() statement then no messages would
>> pass to the second log stanza which has matched this filter, so
>> evaluating
>> a second filter doesn't make sense as it won't match, only takes CPU
>> cycles.
>>
>>     


-- 

---
Matt Cuttler
mcuttler {at} bnl {.} gov