Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
how to keep dmesg/messeges clean of iptables logs w/ ulogd
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
eyeswide
n00b
n00b


Joined: 31 Mar 2005
Posts: 12

PostPosted: Wed Jul 27, 2005 6:03 am    Post subject: how to keep dmesg/messeges clean of iptables logs w/ ulogd Reply with quote

so you have setup iptables or installed some script to do it for you. now you get 50 messeges an hour informing you how well they are working. so you miss the error message saying your hard disk is about to die :o

you can prevent that. one way is to turn off the logging, but then you are blind to what's happening in the world.

or you can log them seperately and make them availible to scan for patterns. here's how to do that:

emerge ulogd

check that you have ulog compiled into your kernel (or as a module):
Code:
     -> Device Drivers                                             
       -> Networking support                                               
         -> Networking support                               
           -> Networking options                                         
             -> Network packet filtering (replaces ipchains)
               -> IP: Netfilter Configuration                             
                 -> IP tables support (required for filtering/masq/NAT
                      <M>   ULOG target support


edit /etc/ulogd.conf
Code:


your iptables logs are now in /var/log/ulogd.syslogemu

nlgroup 1
logfile /var/log/ulogd.log
loglevel 5
rmem 131071
bufsize 150000
plugin /usr/lib/ulogd/ulogd_BASE.so
syslogfile /var/log/ulogd.syslogemu
syslogsync 1
plugin /usr/lib/ulogd/ulogd_LOGEMU.so
dumpfile /var/log/ulogd.pktlog



add it to default
rc-update add ulogd default
start ulogd
/etc/init.d/ulogd start

change your script from saying -j LOG to -j ULOG

shorewall users can add use this example line from /etc/shorewall/policy
note ULOG must be in caps
Code:

net             all             DROP            ULOG


if you enable sql logging in /etc/ulogd.conf you also can use a php script to monitor things: https://forums.gentoo.org/viewtopic-t-327041-highlight-ulog.html

wide
Back to top
View user's profile Send private message
nephros
Advocate
Advocate


Joined: 07 Feb 2003
Posts: 2139
Location: Graz, Austria (Europe - no kangaroos.)

PostPosted: Wed Jul 27, 2005 12:26 pm    Post subject: Reply with quote

Very useful, thanks!

Finally my /var/log/messages will be flooded only by invalid ssh logins and CDROM media errors!

Useful to note that other options change as well, for example --log-prefix becomes --ulog-prefix.
Check your iptables manpage before rewriting the rules!
_________________
Please put [SOLVED] in your topic if you are a moron.
Back to top
View user's profile Send private message
Insanity5902
Veteran
Veteran


Joined: 23 Jan 2004
Posts: 1228
Location: Fort Worth, Texas

PostPosted: Wed Jul 27, 2005 2:51 pm    Post subject: Reply with quote

I just did something to acheive the same goals just last week using syslog-ng. And in the spirit of Choice, i will share with you:

what I have done is in my iptables use the --log-prefix to add what I want to the line in the logs, and then in my syslog-ng.conf, i set up my destination, the source is the kmesg and then added a filter using the match expression matchin my log-prefix. Kind of hard to explain, so here is what the conf files look like

Code:

iptables -P INPUT DROP
iptables -A INPUT -i eth0 -j LOG --log-prefix "IPTABLES ETH0 INCOMING DROPPED "


this is one of my iptables commands, as a matter of fact it is my last one, with the default policy set to DROP. so my log-prefix is telling me that it is iptables, watching eth0 and that it has dropped the incoming packet. So in my syslog-ng I would have this

Code:

source kernsrc  { file("/proc/kmsg"); };
destination iptables_eth0_drop { file("/var/log/iptables.d/eth0_drop.log"); };
filter f_kern { facility(kern) and not match("IPTABLES"); };
filter f_iptables { match("IPTABLES"); };
filter f_eth0 { match("ETH0"); };
filter f_drop { match("DROP"); };
log { source(kernsrc); filter(f_iptables); filter(f_eth0); filter(f_drop); destination(iptables_eth0_drop); };


here I am tellling it to grab the kernel messages, and then setting up the destination for the iptables logs. the f_kern filter line I have modified so that it won't grab the lines with the prefix IPTABLES, and then the next three filters are set up so you can mix and match them the grab the lines you want and move them to certain files. So you can have one log contain all the logs for iptables, and then one for just eth0, one for just the ones that have been dropped, and even set up a critical to have it watch all the ones that come in on port 22. And then you can even add another one to filter out the ones on port 80 and 443 b/c that don't matter as much.

I don't know which way is better but this one is still using just the 2 programs and not interducing anotehr program and conf file.

P.S. I know that the input device is aleady included in the log, i just put in the prefix for the purpose of this example.
_________________
Join the adopt an unanswered post initiative today
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum