View previous topic :: View next topic |
Author |
Message |
eyeswide n00b

Joined: 31 Mar 2005 Posts: 12
|
Posted: Wed Jul 27, 2005 6:03 am Post subject: how to keep dmesg/messeges clean of iptables logs w/ ulogd |
|
|
so you have setup iptables or installed some script to do it for you. now you get 50 messeges an hour informing you how well they are working. so you miss the error message saying your hard disk is about to die
you can prevent that. one way is to turn off the logging, but then you are blind to what's happening in the world.
or you can log them seperately and make them availible to scan for patterns. here's how to do that:
emerge ulogd
check that you have ulog compiled into your kernel (or as a module):
Code: | -> Device Drivers
-> Networking support
-> Networking support
-> Networking options
-> Network packet filtering (replaces ipchains)
-> IP: Netfilter Configuration
-> IP tables support (required for filtering/masq/NAT
<M> ULOG target support |
edit /etc/ulogd.conf
Code: |
your iptables logs are now in /var/log/ulogd.syslogemu
nlgroup 1
logfile /var/log/ulogd.log
loglevel 5
rmem 131071
bufsize 150000
plugin /usr/lib/ulogd/ulogd_BASE.so
syslogfile /var/log/ulogd.syslogemu
syslogsync 1
plugin /usr/lib/ulogd/ulogd_LOGEMU.so
dumpfile /var/log/ulogd.pktlog
|
add it to default
rc-update add ulogd default
start ulogd
/etc/init.d/ulogd start
change your script from saying -j LOG to -j ULOG
shorewall users can add use this example line from /etc/shorewall/policy
note ULOG must be in caps
if you enable sql logging in /etc/ulogd.conf you also can use a php script to monitor things: https://forums.gentoo.org/viewtopic-t-327041-highlight-ulog.html
wide |
|
Back to top |
|
 |
nephros Advocate


Joined: 07 Feb 2003 Posts: 2139 Location: Graz, Austria (Europe - no kangaroos.)
|
Posted: Wed Jul 27, 2005 12:26 pm Post subject: |
|
|
Very useful, thanks!
Finally my /var/log/messages will be flooded only by invalid ssh logins and CDROM media errors!
Useful to note that other options change as well, for example --log-prefix becomes --ulog-prefix.
Check your iptables manpage before rewriting the rules! _________________ Please put [SOLVED] in your topic if you are a moron. |
|
Back to top |
|
 |
Insanity5902 Veteran


Joined: 23 Jan 2004 Posts: 1228 Location: Fort Worth, Texas
|
Posted: Wed Jul 27, 2005 2:51 pm Post subject: |
|
|
I just did something to acheive the same goals just last week using syslog-ng. And in the spirit of Choice, i will share with you:
what I have done is in my iptables use the --log-prefix to add what I want to the line in the logs, and then in my syslog-ng.conf, i set up my destination, the source is the kmesg and then added a filter using the match expression matchin my log-prefix. Kind of hard to explain, so here is what the conf files look like
Code: |
iptables -P INPUT DROP
iptables -A INPUT -i eth0 -j LOG --log-prefix "IPTABLES ETH0 INCOMING DROPPED "
|
this is one of my iptables commands, as a matter of fact it is my last one, with the default policy set to DROP. so my log-prefix is telling me that it is iptables, watching eth0 and that it has dropped the incoming packet. So in my syslog-ng I would have this
Code: |
source kernsrc { file("/proc/kmsg"); };
destination iptables_eth0_drop { file("/var/log/iptables.d/eth0_drop.log"); };
filter f_kern { facility(kern) and not match("IPTABLES"); };
filter f_iptables { match("IPTABLES"); };
filter f_eth0 { match("ETH0"); };
filter f_drop { match("DROP"); };
log { source(kernsrc); filter(f_iptables); filter(f_eth0); filter(f_drop); destination(iptables_eth0_drop); };
|
here I am tellling it to grab the kernel messages, and then setting up the destination for the iptables logs. the f_kern filter line I have modified so that it won't grab the lines with the prefix IPTABLES, and then the next three filters are set up so you can mix and match them the grab the lines you want and move them to certain files. So you can have one log contain all the logs for iptables, and then one for just eth0, one for just the ones that have been dropped, and even set up a critical to have it watch all the ones that come in on port 22. And then you can even add another one to filter out the ones on port 80 and 443 b/c that don't matter as much.
I don't know which way is better but this one is still using just the 2 programs and not interducing anotehr program and conf file.
P.S. I know that the input device is aleady included in the log, i just put in the prefix for the purpose of this example. _________________ Join the adopt an unanswered post initiative today |
|
Back to top |
|
 |
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|