| View previous topic :: View next topic |
| Author |
Message |
ghost_adsf
n00b
Joined: 06 Oct 2004
Posts: 42
|
 Posted: Fri Jul 29, 2005 12:48 am Post subject: Filtering of iptables thru syslog-ng. Weird issue. |
 |
|
Having a slight issue with my logging of iptables via syslog-ng. What I want to do is create a filter that filters udp and tcp packets into seperate logs. I've come to a point where the udp packets get filtered but if I attempt to filter tcp with the same format in the conf then I can't even start syslog-ng up. The following is my /etc/syslog-ng/syslog-ng.conf file...
| Code: | # /etc/syslog-ng/syslog-ng.conf
# From the Gentoo Linux Security Guide
# http://www.gentoo.org/doc/en/gentoo-security.xml
# Creative Commons - Attribution / Share Alike License
# http://creativecommons.org/licenses/by-sa/2.0
options { long_hostnames(off); sync(0); };
#source where to read log
source src { unix-stream("/dev/log"); internal(); };
source kernsrc { file("/proc/kmsg"); };
#define destinations
destination authlog { file("/var/log/auth.log"); };
destination syslog { file("/var/log/syslog"); };
destination cron { file("/var/log/cron.log"); };
destination daemon { file("/var/log/daemon.log"); };
destination kern { file("/var/log/kern.log"); };
destination lpr { file("/var/log/lpr.log"); };
destination user { file("/var/log/user.log"); };
destination mail { file("/var/log/mail.log"); };
destination mailinfo { file("/var/log/mail.info"); };
destination mailwarn { file("/var/log/mail.warn"); };
destination mailerr { file("/var/log/mail.err"); };
destination newscrit { file("/var/log/news/news.crit"); };
destination newserr { file("/var/log/news/news.err"); };
destination newsnotice { file("/var/log/news/news.notice"); };
destination debug { file("/var/log/debug"); };
destination messages { file("/var/log/messages"); };
destination console { usertty("root"); };
destination console_all { file("/dev/tty12"); };
destination xconsole { pipe("/dev/xconsole"); };
destination firewall { file("/var/log/Firewall/firewall.log"); };
destination firewall-udp { file("/var/log/Firewall/firewall_udp.log"); };
#desintation firewall-tcp { file("/var/log/Firewall/firewall_tcp.log"); };
#create filters
filter f_auth { facility(auth); };
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(authpriv, mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info..warn)
and not facility(auth, authpriv, mail, news); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_failed { match("failed"); };
filter f_denied { match("denied"); };
filter f_firewall { match("connection"); };
filter f_firewall-tcp { match("tcp connection"); };
filter f_firewall-udp { match("udp connection"); };
#connect filter and destination
log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(kernsrc); filter(f_firewall); destination(firewall); };
#log { source(kernsrc); filter(f_firewall-tcp); destination(firewall-tcp); };
log { source(kernsrc); filter(f_firewall-udp); destination(firewall-udp); };
log { source(kernsrc); filter(f_kern); destination(kern); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };
#log { source(kernsrc); filter(f_firewall); destination(firewall); };
#default log
|
What I receive using that is
| Code: | * Configuration error. Please fix your configfile (/etc/syslog-ng/syslog-ng.conf) [ !! ]
Error parsing configuration file on line 39
|
The error parsing file line isn't exact but it says it can't parse the file on line 39. Which I'll help you guys with so you don't have to count lines. 
#desintation firewall-tcp { file("/var/log/Firewall/firewall_tcp.log"); };
The one above. Now as you can see they are commented out in my pasting because that's how it currently is so it works. Also as you can see the line for udp is the exact same except for the obvious yet it has no problem allowing the application to function. And on a side note, if anyone knows how I can exclude the info being filtered by the new udp/tcp filters so it doesn't show up in /var/log/kern.log that'd be great. |
|
| Back to top |
|
 |
ikaro
Advocate
Joined: 14 Jul 2003
Posts: 2527
Location: Denmark
|
| Posted: Fri Jul 29, 2005 5:19 am Post subject: |
|
|
typo: desintation firewall-tcp should be destination ?
_________________
linux: #232767 |
|
| Back to top |
|
|
ghost_adsf
n00b
Joined: 06 Oct 2004
Posts: 42
|
| Posted: Fri Jul 29, 2005 12:41 pm Post subject: |
|
|
| Wow, that's sad I swear I typed it more then once too. Yesterday was really a long day. So thanks and everyone point and laugh at the idiot now lol. Maybe we can move this to off-thewall or something to give people a smile? I need to start using spell checker more often, thanks again. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
