| View previous topic :: View next topic |
| Author |
Message |
lonegd
Apprentice
Joined: 07 Dec 2003
Posts: 185
Location: UK
|
 Posted: Fri Feb 02, 2007 1:14 pm Post subject: syslog-ng filter |
 |
|
I'm trying to put iptables logging into a specific file but the syslog-ng filter I'm using doesn't appear to be working??
| Code: |
filter f_ipt { level(warn) and facility(kern); };
|
Looking at the raw syslog, iptables does appear to be logging to kern.warning ... so why is the filter not working??? 
| Code: |
2007-02-02T12:47:21+0000 atomant [kern.warning] IN=ppp0 OUT= MAC= SRC=124.228.39.7 DST=x.x.x.x LEN=126 TOS=0x00 PREC=0x00 TTL=103 ID=2301 PROTO=UDP SPT=27401 DPT=32459 LEN=106
2007-02-02T12:48:52+0000 atomant [kern.warning] IN=ppp0 OUT= MAC= SRC=218.241.188.4 DST=x.x.x.x LEN=404 TOS=0x00 PREC=0x00 TTL=98 ID=5989 PROTO=UDP SPT=2362 DPT=1434 LEN=384
2007-02-02T12:49:08+0000 atomant [kern.warning] IN=ppp0 OUT= MAC= SRC=218.92.18.123 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=92 ID=256 PROTO=TCP SPT=6000 DPT=8000 WINDOW=16384 RES=0x00 SYN URGP=0
|
_________________
Mark Cooper
http://pvrhw.goldfish.org/ - Open Source PVR Hardware Database |
|
| Back to top |
|
 |
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7310
|
| Posted: Fri Feb 02, 2007 1:25 pm Post subject: |
|
|
Defining a filter is not enough, you have to use it too 
| Code: | options {
chain_hostnames(off);
sync(0);
# The default action of syslog-ng 1.6.0 is to log a STATS line
# to the file every 10 minutes. That's pretty ugly after a while.
# Change it to every 12 hours so you get a nice daily update of
# how many messages syslog-ng missed (0).
stats(43200);
};
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
# Added cron stuff - http://www.campin.net/syslog-ng.conf
# http://www.balabit.com/products/syslog_ng/reference-1.6/syslog-ng.txt
destination messages { file("/var/log/messages"); };
destination cron { file("/var/log/cron.log"); };
# Cron has its own log
filter f_spamd_info { facility(mail) and program(spamd) and priority(info); };
filter f_getmail_info { facility(mail) and program(getmail) and priority(info); };
filter f_postfix_info { facility(mail) and program(postfix) and priority(info); };
filter f_messages { not facility(cron) and not filter(f_spamd_info) and not filter(f_getmail_info) and not filter(f_postfix_info); };
filter f_cron { facility(cron); };
# By default messages are logged to tty12...
destination console_all { file("/dev/tty12"); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); destination(console_all); }; |
|
|
| Back to top |
|
|
peka
l33t
Joined: 16 Mar 2005
Posts: 773
Location: Płońsk, Poland
|
| Posted: Fri Feb 02, 2007 1:27 pm Post subject: |
|
|
You may want to check out metalog instead. It's not a big change but it has a lot of filtering in place just with install.
_________________
p3k4
Seize the time, Meribor. Live now; make now always the most precious time. Now will never come again...
Jean-Luc Picard, Star Trek TNG - The Inner Light |
|
| Back to top |
|
|
lonegd
Apprentice
Joined: 07 Dec 2003
Posts: 185
Location: UK
|
| Posted: Fri Feb 02, 2007 1:49 pm Post subject: |
|
|
Thanks for the help ... turned out I had the following in the first log rule ...
which causes syslog-ng to stop processing any further log rules ... D'oh!
_________________
Mark Cooper
http://pvrhw.goldfish.org/ - Open Source PVR Hardware Database |
|
| Back to top |
|
|
|
Networking & Security
