| View previous topic :: View next topic |
| Author |
Message |
Zorn1981
n00b
Joined: 17 Jan 2004
Posts: 55
|
 Posted: Tue Mar 30, 2004 8:22 pm Post subject: shorewall and syslog-ng -- trouble with logging |
 |
|
I use shorewall and I want to log the output of shorewall.
This is my syslog-ng configuration file it doesn't work
| Code: |
# $Header: /home/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo,v 1.3 2003/05/12 22:43:48 msterret Exp $
#
# Syslog-ng default configuration file for Gentoo Linux
# contributed by Michael Sterrett
options {
long_hostnames(off);
sync(0);
# The default action of syslog-ng 1.6.0 is to log a STATS line
# to the file every 10 minutes. That's pretty ugly after a while.
# Change it to every 12 hours so you get a nice daily update of
# how many messages syslog-ng missed (0).
stats(43200);
};
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
source kernsrc { file("/proc/kmsg"); };
#destination messages { file("/var/log/messages"); };
#define destinations
destination authlog { file("/var/log/auth.log"); };
destination syslog { file("/var/log/syslog"); };
destination cron { file("/var/log/cron.log"); };
destination daemon { file("/var/log/daemon.log"); };
destination kern { file("/var/log/kern.log"); };
destination lpr { file("/var/log/lpr.log"); };
destination user { file("/var/log/user.log"); };
destination mail { file("/var/log/mail.log"); };
destination mailinfo { file("/var/log/mail.info"); };
destination mailwarn { file("/var/log/mail.warn"); };
destination mailerr { file("/var/log/mail.err"); };
destination newscrit { file("/var/log/news/news.crit"); };
destination newserr { file("/var/log/news/news.err"); };
destination newsnotice { file("/var/log/news/news.notice"); };
destination debug { file("/var/log/debug"); };
destination messages { file("/var/log/messages"); };
destination console { usertty("root"); };
destination console_all { file("/dev/tty12"); };
destination xconsole { pipe("/dev/xconsole"); };
destination d_shorewall_warn { file("/var/log/shorewall/warn.log"); };
destination d_shorewall_info { file("/var/log/shorewall/info.log"); };
#create filters
filter f_auth { facility(auth); };
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(authpriv, mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info..warn)
and not facility(auth, authpriv, mail, news); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_failed { match("failed"); };
filter f_denied { match("denied"); };
filter f_shorewall_warn { level(warn) and match ("Shorewall:"); };
filter f_shorewall_info { level(warn) and match("Shorewall:"); };
#connect filter and destination
log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(kernsrc); filter(f_kern); destination(kern); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };
log { source(src); filter(f_shorewall_info); destination(d_shorewall_info);};
log { source(src); filter(f_shorewall_warn); destination(d_shorewall_warn);};
#default log
log { source(src); destination(console_all); }; |
 |
|
| Back to top |
|
 |
Chris W
l33t
Joined: 25 Jun 2002
Posts: 972
Location: Brisbane, Australia
|
| Posted: Tue Mar 30, 2004 11:02 pm Post subject: |
|
|
One of your two Shorewall filters is incorrect: 'warn' instead of 'info'.
The source for Shorewall output should be 'source{kernsrc}'.
_________________
Cheers,
Chris W
"Common sense: The collection of prejudices acquired by age 18." -- Einstein |
|
| Back to top |
|
|
Zorn1981
n00b
Joined: 17 Jan 2004
Posts: 55
|
| Posted: Wed Mar 31, 2004 8:52 am Post subject: |
|
|
Thanks, but it doesn't work!
Can I stop and restart syslog-ng without rebooting?
bye
Z81 |
|
| Back to top |
|
|
asimon
l33t
Joined: 27 Jun 2002
Posts: 979
Location: Germany, Old Europe
|
| Posted: Wed Mar 31, 2004 9:44 am Post subject: |
|
|
With | Code: | | /etc/init.d/syslog-ng reload |
syslog-ng reloads it's config file , closes, and reopens it's file handles which essential is a 'restart'.
I use this to log my shorewall/ipfilter stuff:
| Code: |
filter f_iptables { facility(kern) and match("IN=") and match("OUT="); };
destination iptables { file("/var/log/iptables.log"); };
log { source(src); filter(f_iptables); destination(iptables); };
|
Possibilities why your schema doesn't work:
* Is the ":" in match("Shorewall:") allowed there? It could be a character that has a speacial meaning in this regular expression.
* Maybe you use wrong log levels, log levels can be configured in /etc/shorewall/shorewall.conf
* Is your shorewall.conf configured in such a way that it prefixes log messages with "Shorewall:"? Maybe it isnt.
* Some reason I don't see right now  |
|
| Back to top |
|
|
Zorn1981
n00b
Joined: 17 Jan 2004
Posts: 55
|
| Posted: Wed Mar 31, 2004 12:07 pm Post subject: |
|
|
I've tried your version (mr. Burn). It works!
Thanks
Marco |
|
| Back to top |
|
|
zeek
Guru
Joined: 16 Nov 2002
Posts: 480
Location: Bantayan Island
|
| Posted: Thu Apr 01, 2004 6:06 am Post subject: |
|
|
Unrelated to the original question, what about ULOGD?
I never quite understood its existance, or if it was any better at anything? |
|
| Back to top |
|
|
Zorn1981
n00b
Joined: 17 Jan 2004
Posts: 55
|
| Posted: Thu Apr 01, 2004 3:13 pm Post subject: |
|
|
Good question zeek!
Could someone drop a line to explain differences between ULOGD and syslog-ng and other log systems? Which is better? Why?
I use a (super)karamba app to view my log files at real time. I think there are better tools somewhere. Any advice?
bye
Z81 |
|
| Back to top |
|
|
asimon
l33t
Joined: 27 Jun 2002
Posts: 979
Location: Germany, Old Europe
|
| Posted: Thu Apr 01, 2004 3:31 pm Post subject: |
|
|
| A quick look at the ulogd webpage (I haven't heart of ulogd before) shows that it's no replacement for systemn loggers like syslog-ng, sysklog, metalog, etc. ulogd is for iptables logging only and can not replace the other logging facilities. It looks like it's much more flexible than syslog-ng and friends, it supports more protocols and output formats. The iptables log messages are send to the ulogd daemon which for example can then write the iptables log messages into an SQL database. This is surly interesting for large sites which can then do sofisticated sql queries to analyze their firewall traffic. |
|
| Back to top |
|
|
Zorn1981
n00b
Joined: 17 Jan 2004
Posts: 55
|
| Posted: Thu Apr 01, 2004 4:22 pm Post subject: |
|
|
| Thanks! |
|
| Back to top |
|
|
trumee
Guru
Joined: 02 Mar 2003
Posts: 551
Location: London,UK
|
| Posted: Wed Jun 02, 2004 6:10 pm Post subject: |
|
|
I am stuck with the same problem, even after using asimons script. There is no iptables.log file and still everything is being dumped on /var/log/messages. Here is my /etc/syslog-ng/syslog-ng.conf
| Code: |
# $Header: /home/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo,v 1.3 2003/05/12 22:43:48 msterret Exp $
#
# Syslog-ng default configuration file for Gentoo Linux
# contributed by Michael Sterrett
options {
long_hostnames(off);
sync(0);
# The default action of syslog-ng 1.6.0 is to log a STATS line
# to the file every 10 minutes. That's pretty ugly after a while.
# Change it to every 12 hours so you get a nice daily update of
# how many messages syslog-ng missed (0).
stats(43200);
};
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
source kernsrc { file("/proc/kmsg"); };
#destination messages { file("/var/log/messages"); };
#define destinations
destination authlog { file("/var/log/auth.log"); };
destination syslog { file("/var/log/syslog"); };
destination cron { file("/var/log/cron.log"); };
destination daemon { file("/var/log/daemon.log"); };
destination kern { file("/var/log/kern.log"); };
destination lpr { file("/var/log/lpr.log"); };
destination user { file("/var/log/user.log"); };
destination mail { file("/var/log/mail.log"); };
destination mailinfo { file("/var/log/mail.info"); };
destination mailwarn { file("/var/log/mail.warn"); };
destination mailerr { file("/var/log/mail.err"); };
destination newscrit { file("/var/log/news/news.crit"); };
destination newserr { file("/var/log/news/news.err"); };
destination newsnotice { file("/var/log/news/news.notice"); };
destination debug { file("/var/log/debug"); };
destination messages { file("/var/log/messages"); };
destination console { usertty("root"); };
destination console_all { file("/dev/tty12"); };
destination xconsole { pipe("/dev/xconsole"); };
destination d_shorewall_warn { file("/var/log/shorewall/warn.log"); };
destination d_shorewall_info { file("/var/log/shorewall/info.log"); };
#create filters
filter f_auth { facility(auth); };
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(authpriv, mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info..warn)
and not facility(auth, authpriv, mail, news); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_failed { match("failed"); };
filter f_denied { match("denied"); };
#connect filter and destination
log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(kernsrc); filter(f_kern); destination(kern); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };
filter f_iptables { facility(kern) and match("IN=") and match("OUT="); };
destination iptables { file("/var/log/iptables.log"); };
log { source(src); filter(f_iptables); destination(iptables); };
#default log
log { source(src); destination(console_all); };
|
What is going wrong?
Thanks |
|
| Back to top |
|
|
trumee
Guru
Joined: 02 Mar 2003
Posts: 551
Location: London,UK
|
| Posted: Wed Jun 02, 2004 8:36 pm Post subject: |
|
|
| Got it working. Thanks |
|
| Back to top |
|
|
asimon
l33t
Joined: 27 Jun 2002
Posts: 979
Location: Germany, Old Europe
|
| Posted: Wed Jun 02, 2004 8:40 pm Post subject: |
|
|
| trumee wrote: |
What is going wrong?
|
The config looks good, I don't see anything wrong. Did you restart or reload syslog-ng after changing it's configuration, i.e. '/etc/init.d/syslog-ng reload'? Otherwise it will still use it's old configuration.
But even if it works, the iptables log messages will still go into messages. They are just filtered additionally into iptables.log. If you don't want them in messages things will get a little bit more complicated, you have to exclude them in the message filter. Something like
| Code: |
filter f_messages { not facility(auth, authpriv, mail, news) and
not (facility(kern) and match("IN=") and match("OUT=")); };
|
|
|
| Back to top |
|
|
|
Networking & Security
