| View previous topic :: View next topic |
| Author |
Message |
freeballer
n00b
Joined: 07 May 2004
Posts: 10
|
 Posted: Wed Jul 14, 2004 3:18 am Post subject: Iptables / syslog-ng --> logging to another file |
 |
|
I might have missed this doc here @ gentoo.org but I would like my iptables to log the information to syslog-ng on another file (eg. iptables)
I know this has to be configured in syslog but I cannot find info on exactly howto do it with iptables...
I need a little help
Thanks for your time
Geoff |
|
| Back to top |
|
 |
spudicus
Apprentice
Joined: 05 Dec 2002
Posts: 177
Location: Geraldton, Australia
|
| Posted: Wed Jul 14, 2004 4:32 am Post subject: |
|
|
Configure iptables log with the following example message: | Code: | | iptables -A INPUT -j LOG --log-prefix "Iptables: " |
Configure syslog-ng to match and log the above message: | Code: | destination d_fwall { file("/var/log/firewall.log"); };
filter f_fwall {
match("Iptables:");
};
log { source(src); filter(f_fwall); destination(d_fwall); }; |
Note: The iptables matches will still get logged to /var/log/{messages,syslog}, but also to there own file. If this behaviour is undesirable you could do something like: | Code: | filter f_nofwall {
not match("Iptables:");
};
log { source(src); filter(f_messages); filter(f_nofwall); destination(messages); }; |
|
|
| Back to top |
|
|
029ah
n00b
Joined: 14 Sep 2003
Posts: 15
Location: Moscow
|
| Posted: Wed Jul 14, 2004 11:29 am Post subject: |
|
|
I guess it's better to use ulogd daemon and ULOG action, like:
iptables -A INPUT -p TCP --dport 22 -j ULOG |
|
| Back to top |
|
|
affinity
n00b
Joined: 01 Jul 2004
Posts: 66
|
| Posted: Wed Jul 14, 2004 12:17 pm Post subject: |
|
|
| spudicus wrote: | Note: The iptables matches will still get logged to /var/log/{messages,syslog}, but also to there own file. If this behaviour is undesirable you could do something like:
| Code: | filter f_nofwall {
not match("Iptables:");
};
log { source(src); filter(f_messages); filter(f_nofwall); destination(messages); }; |
|
or you could do something like:
| Code: | | log { source(src); filter(f_fwall); destination(d_fwall); flags(final); }; |
You could also just match something like IN= instead of adding log-prefix. |
|
| Back to top |
|
|
freeballer
n00b
Joined: 07 May 2004
Posts: 10
|
| Posted: Fri Jul 16, 2004 10:53 pm Post subject: thanks |
|
|
thanks all for the replies,
seems to be working fine now |
|
| Back to top |
|
|
iGMAS
Tux's lil' helper
Joined: 09 May 2004
Posts: 83
|
| Posted: Sun Jul 18, 2004 3:58 pm Post subject: |
|
|
I can't get the code to work as I want. it logs iptables stuff to /var/log/firewall.log, but it also logs it to syslog.log 
| Code: | # $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo,v 1.3 2003/05/12 22:43:48 msterret Exp $
#
# Syslog-ng default configuration file for Gentoo Linux
# contributed by Michael Sterrett
options {
long_hostnames(off);
sync(0);
# The default action of syslog-ng 1.6.0 is to log a STATS line
# to the file every 10 minutes. That's pretty ugly after a while.
# Change it to every 12 hours so you get a nice daily update of
# how many messages syslog-ng missed (0).
stats(43200);
};
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
destination messages { file("/var/log/messages"); };
# By default messages are logged to tty12...
destination console_all { file("/dev/tty12"); };
# ...if you intend to use /dev/console for programs like xconsole
# you can comment out the destination line above that references /dev/tty12
# and uncomment the line below.
#destination console_all { file("/dev/console"); };
destination d_fwall { file("/var/log/firewall.log"); };
filter f_fwall {
match("Iptables:");
};
filter f_nofwall {
not match("Iptables:");
};
log { source(src); filter(f_fwall); filter(f_nofwall); destination(messages); };
log { source(src); filter(f_fwall); destination(d_fwall); };
log { source(src); filter(f_fwall); destination(d_fwall); flags(final); };
|
|
|
| Back to top |
|
|
affinity
n00b
Joined: 01 Jul 2004
Posts: 66
|
| Posted: Sun Jul 18, 2004 6:31 pm Post subject: |
|
|
syslog.log?
btw, you're supposed to do it like this:
| Code: | # $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo,v 1.3 2003/05/12 22:43:48 msterret Exp $
#
# Syslog-ng default configuration file for Gentoo Linux
# contributed by Michael Sterrett
options {
long_hostnames(off);
sync(0);
# The default action of syslog-ng 1.6.0 is to log a STATS line
# to the file every 10 minutes. That's pretty ugly after a while.
# Change it to every 12 hours so you get a nice daily update of
# how many messages syslog-ng missed (0).
stats(43200);
};
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
destination messages { file("/var/log/messages"); };
# By default messages are logged to tty12...
destination console_all { file("/dev/tty12"); };
# ...if you intend to use /dev/console for programs like xconsole
# you can comment out the destination line above that references /dev/tty12
# and uncomment the line below.
#destination console_all { file("/dev/console"); };
destination d_fwall { file("/var/log/firewall.log"); };
filter f_fwall {
match("Iptables:");
};
log { source(src); filter(f_fwall); destination(d_fwall); flags(final); };
log { source(src); destination(messages); }; |
or like this:
| Code: | # $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo,v 1.3 2003/05/12 22:43:48 msterret Exp $
#
# Syslog-ng default configuration file for Gentoo Linux
# contributed by Michael Sterrett
options {
long_hostnames(off);
sync(0);
# The default action of syslog-ng 1.6.0 is to log a STATS line
# to the file every 10 minutes. That's pretty ugly after a while.
# Change it to every 12 hours so you get a nice daily update of
# how many messages syslog-ng missed (0).
stats(43200);
};
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
destination messages { file("/var/log/messages"); };
# By default messages are logged to tty12...
destination console_all { file("/dev/tty12"); };
# ...if you intend to use /dev/console for programs like xconsole
# you can comment out the destination line above that references /dev/tty12
# and uncomment the line below.
#destination console_all { file("/dev/console"); };
destination d_fwall { file("/var/log/firewall.log"); };
filter f_fwall {
match("Iptables:");
};
filter f_nofwall {
not match("Iptables:");
};
log { source(src); filter(f_nofwall); destination(messages); };
log { source(src); filter(f_fwall); destination(d_fwall); }; |
|
|
| Back to top |
|
|
iGMAS
Tux's lil' helper
Joined: 09 May 2004
Posts: 83
|
| Posted: Mon Jul 19, 2004 8:23 pm Post subject: |
|
|
| syslog-ng still writes iptables: to the /var/log/syslog and the syslog don't change to a new log and zips the log from yesterday anymore |
|
| Back to top |
|
|
spudicus
Apprentice
Joined: 05 Dec 2002
Posts: 177
Location: Geraldton, Australia
|
| Posted: Tue Jul 20, 2004 3:45 am Post subject: |
|
|
You need to filter out logging to the syslog and messages logfiles: | Code: |
filter f_crap {
not match("]: STATS: dropped 0$")
or not match("(iptables|Iptables)");
};
log { source(src); filter(f_messages); filter(f_crap); destination(messages); };
log { source(src); filter(f_syslog); filter(f_crap); destination(syslog); }; |
This filters out the iptables and some syslog-ng redundancy. As posted previously, you can match on the "IN=" expression of iptables rule match. I choose to specify the logging prefix explicitly to "iptables", just in case something else matches "IN=".
Since this post was posted, I've take 029ah's advice and installed ulogd. The relevant ulog module needs to be compiled in for it to work but it automatically logs to ulogd.syslogemu, and considering it's designed for iptables logging, I assumed it was the better option to take (note: you still need to stop the iptables logging from going to syslog/messages logfiles).
There is a certain amount of redundancy between the syslog and messages (and other) logfiles that would almost indicate they could be combined into the one entry, however, other programs may depend on either file, and therefore I live with this redundancy.
In regards to your logrotation. Is | Code: | | /etc/init.d/syslog-ng reload |
working OK? Has anything changed in /etc/logrotate.d/syslog-ng? |
|
| Back to top |
|
|
iGMAS
Tux's lil' helper
Joined: 09 May 2004
Posts: 83
|
| Posted: Fri Jul 23, 2004 4:21 am Post subject: |
|
|
| Code: | /var/log/messages {
sharedscripts
postrotate
/etc/init.d/syslog-ng reload > /dev/null 2>&1 || true
endscript
}
|
But when I try to test execute the logrotate I get this error msg:
| Code: | /etc/logrotate.d/syslog-ng: line 7: /var/log/messages: Permission denied
/etc/logrotate.d/syslog-ng: line 8: sharedscripts: command not found
/etc/logrotate.d/syslog-ng: line 9: postrotate: command not found
/etc/logrotate.d/syslog-ng: line 11: endscript: command not found
/etc/logrotate.d/syslog-ng: line 12: syntax error near unexpected token `}'
/etc/logrotate.d/syslog-ng: line 12: `}'
|
|
|
| Back to top |
|
|
spudicus
Apprentice
Joined: 05 Dec 2002
Posts: 177
Location: Geraldton, Australia
|
| Posted: Fri Jul 23, 2004 5:07 am Post subject: |
|
|
You don't run /etc/logrotate.d/syslog-ng directly. It's there to be used by logrotate.
How do you usually rotate your logs? Using logrotate?
Has anything changed in /etc/logrotate.conf?
Have your cron jobs changed in anyway?
It may be worth posting your entire syslog-ng.conf file, in case it's responsible. |
|
| Back to top |
|
|
iGMAS
Tux's lil' helper
Joined: 09 May 2004
Posts: 83
|
| Posted: Fri Jul 23, 2004 9:56 am Post subject: |
|
|
syslog-ng conf:
| Code: | # $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gen$
#
# Syslog-ng default configuration file for Gentoo Linux
# contributed by Michael Sterrett
options {
long_hostnames(off);
sync(0);
# The default action of syslog-ng 1.6.0 is to log a STATS line
# to the file every 10 minutes. That's pretty ugly after a while.
# Change it to every 12 hours so you get a nice daily update of
# how many messages syslog-ng missed (0).
stats(43200);
};
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
destination messages { file("/var/log/messages"); };
# By default messages are logged to tty12...
destination console_all { file("/dev/tty12"); };
# ...if you intend to use /dev/console for programs like xconsole
# you can comment out the destination line above that references /dev/tty12
# and uncomment the line below.
#destination console_all { file("/dev/console"); };
destination d_fwall { file("/var/log/firewall.log"); };
filter f_fwall {
match("Iptables:");
};
log { source(src); filter(f_fwall); destination(d_fwall); flags(final); };
log { source(src); destination(messages); };
filter f_crap {
not match("]: STATS: dropped 0$")
or not match("(iptables|Iptables)");
};
log { source(src); filter(f_messages); filter(f_crap); destination(messages); };
log { source(src); filter(f_syslog); filter(f_crap); destination(syslog); }; |
/etc/logrotate.conf <-- I don't have that
And how i usually logrotate my logs is I don't know it has worked before but after I started with the iptables logging it broke somehow |
|
| Back to top |
|
|
spudicus
Apprentice
Joined: 05 Dec 2002
Posts: 177
Location: Geraldton, Australia
|
| Posted: Fri Jul 23, 2004 12:36 pm Post subject: |
|
|
Firstly I'd change syslog-ng.conf slightly to:
| Code: | # $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gen$
#
# Syslog-ng default configuration file for Gentoo Linux
# contributed by Michael Sterrett
options {
long_hostnames(off);
sync(0);
# The default action of syslog-ng 1.6.0 is to log a STATS line
# to the file every 10 minutes. That's pretty ugly after a while.
# Change it to every 12 hours so you get a nice daily update of
# how many messages syslog-ng missed (0).
stats(43200);
};
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
destination messages { file("/var/log/messages"); };
destination messages { file("/var/log/syslog"); };
# By default messages are logged to tty12...
destination console_all { file("/dev/tty12"); };
# ...if you intend to use /dev/console for programs like xconsole
# you can comment out the destination line above that references /dev/tty12
# and uncomment the line below.
#destination console_all { file("/dev/console"); };
destination d_fwall { file("/var/log/firewall.log"); };
filter f_fwall {
match("Iptables:");
};
log { source(src); filter(f_fwall); destination(d_fwall); };
filter f_crap {
not match("]: STATS: dropped 0$")
or not match("(iptables|Iptables)");
};
log { source(src); filter(f_messages); filter(f_crap); destination(messages); };
log { source(src); filter(f_syslog); filter(f_crap); destination(syslog); }; |
I've added an entry that specifies the destination to log syslog to i.e. /var/log/syslog. Also I've removed the flags(final); entry. As affinity stated you either use flags(final) or filter out unwanted junk. I also removed the extra log line that was logging to /var/log/message. You can see here a more comprehensive syslog-ng.conf.
| iGMAS wrote: | /etc/logrotate.conf <-- I don't have that
And how i usually logrotate my logs is I don't know it has worked before but after I started with the iptables logging it broke somehow |
I don't know how the above rules are breaking log rotation. Usually to get syslog-ng to rotate logs you need to specify a logfile with a date as outlined here. However you can emerge logrotate, which will add /etc/logrotate.conf. This can then be altered to suit your needs. This page here could help set that up. |
|
| Back to top |
|
|
|
Networking & Security
