| View previous topic :: View next topic |
| Author |
Message |
ranger719
Tux's lil' helper
Joined: 16 May 2006
Posts: 92
Location: Germany
|
 Posted: Mon Jun 18, 2007 5:03 pm Post subject: syslog-ng ignores filter-rule [SOLVED] |
 |
|
Hi,
I wrote a new filter for syslog-ng which is supposed to put my firewall-logs into a seperate file and not into dmesg/kern.log. I searched the forum and google and found that I need something like this (my iptables-log all begin with "IPT_"):
| Code: |
destination firewall { file("/var/log/firewall.log"); };
filter f_firewall { match("IPT"); };
log { source(src); filter(f_firewall); destination(firewall); };
#log { source(src); filter(f_firewall); destination(firewall); flags(final); };
|
I put these lines above the correspondig lines in my syslog-ng.conf (does it even matter, can they stand anywhere in the conf?). I had it once working, but that's quite a time ago.. There were many syslog-ng updates since...
And now the "but"... It does not work. /var/log/firewall.log does not get created. Even if I change the filter to: filter f_firewall { facility(kern) and match("IPT*"); };
Another thing: The commented line (with flags(final)) instead of the one above it would prevent the firewall-logs appear in dmesg/kern.log, would it not?
What do I miss?
Thank you
Last edited by ranger719 on Mon Jul 02, 2007 9:21 pm; edited 3 times in total |
|
| Back to top |
|
 |
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Mon Jun 18, 2007 6:00 pm Post subject: Re: syslog-ng ignores filter-rule |
|
|
a) the source statement is missing - just not copied here or not existing at all? Can you post your complete syslog-ng.conf?
b) when you test it via logger IPT-test, is this logged?
c) are those IPT... logs recorded anywhere else? (/var/log/messages)
d) the order (of destination objects) matters - if (and only if) flags(final) is used; log entries matching a log-object utilizing flags(final) will not be recored in any other logline stated below that in your conf.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
ranger719
Tux's lil' helper
Joined: 16 May 2006
Posts: 92
Location: Germany
|
| Posted: Mon Jun 18, 2007 6:26 pm Post subject: |
|
|
Yes, the source statement is there.
But nevertheless, here's my conf, my additional lines are "marked"
| Code: |
cat /etc/syslog-ng/syslog-ng.conf
# Copyright 2005 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo.hardened,v 1.4 2006/07/12 23:59:59 solar Exp $
#
# Syslog-ng configuration file, compatible with default hardened installations.
#
options { chain_hostnames(off); sync(0); stats(86400); };
source src { unix-stream("/dev/log"); internal(); };
source kernsrc { file("/proc/kmsg"); };
#source net { udp(); };
destination firewall { file("/var/log/firewall.log"); }; <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
destination authlog { file("/var/log/auth.log"); };
destination syslog { file("/var/log/syslog"); };
destination cron { file("/var/log/cron.log"); };
destination daemon { file("/var/log/daemon.log"); };
destination kern { file("/var/log/kern.log"); file("/dev/tty12"); };
destination lpr { file("/var/log/lpr.log"); };
destination user { file("/var/log/user.log"); };
destination uucp { file("/var/log/uucp.log"); };
#destination ppp { file("/var/log/ppp.log"); };
destination mail { file("/var/log/mail.log"); };
destination avc { file("/var/log/avc.log"); };
destination audit { file("/var/log/audit.log"); };
destination pax { file("/var/log/pax.log"); };
destination grsec { file("/var/log/grsec.log"); };
destination mailinfo { file("/var/log/mail.info"); };
destination mailwarn { file("/var/log/mail.warn"); };
destination mailerr { file("/var/log/mail.err"); };
destination newscrit { file("/var/log/news/news.crit"); };
destination newserr { file("/var/log/news/news.err"); };
destination newsnotice { file("/var/log/news/news.notice"); };
destination debug { file("/var/log/debug"); };
destination messages { file("/var/log/messages"); };
destination console { usertty("root"); };
destination console_all { file("/dev/tty12"); };
#destination loghost { udp("loghost" port(999)); };
destination xconsole { pipe("/dev/xconsole"); };
filter f_firewall { facility(kern) and match("IPT*"); }; <<<<<<<<<<<<<<<<<<<<
filter f_auth { facility(auth); };
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(authpriv, mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };
#filter f_ppp { facility(ppp); };
filter f_news { facility(news); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info..warn)
and not facility(auth, authpriv, mail, news); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_avc { match(".*avc: .*"); };
filter f_audit { match("^audit.*") and not match(".*avc: .*"); };
filter f_pax { match("^PAX:.*"); };
filter f_grsec { match("^grsec:.*"); };
log { source(src); filter(f_firewall); destination(firewall); }; <<<<<<<<<<<<<<<<<<<
#log { source(src); filter(f_firewall); destination(firewall); flags(final); }; <<<<<<<<<<<<<<<
log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(kernsrc); filter(f_kern); destination(kern); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_uucp); destination(uucp); };
log { source(kernsrc); filter(f_pax); destination(pax); };
log { source(kernsrc); filter(f_grsec); destination(grsec); };
log { source(kernsrc); filter(f_audit); destination(audit); };
log { source(kernsrc); filter(f_avc); destination(avc); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(src); filter(f_news); filter(f_crit); destination(newscrit); };
log { source(src); filter(f_news); filter(f_err); destination(newserr); };
log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); };
log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };
#log { source(src); filter(f_ppp); destination(ppp); };
log { source(src); destination(console_all); }; |
Manual testing:
| Code: |
logger IPT_test
tail -n 1 /var/log/messages
Jun 18 20:11:43 shodan logger: IPT_test |
.. but no firewall.log.. Which is alright because the facility does not match.
And my iptables-log-lines are only in dmesg and kern.log. No other file.
If I change
filter f_firewall { facility(kern) and match("IPT*"); };
to
filter f_firewall { match("IPT"); };
then 'logger IPT_test' creates the file firewall.log, which is ok due to the missing facility. But "real" logs produced from lines like this are still not working:
$IPTABLES -A services_tcp -j LOG --log-prefix "IPT_Track_TCP: No Service "
Here is one dmesg/kern.log line:
IPT_Track_TCP: No Service IN=eth1 OUT= MAC=blablabla SRC=X DST=X LEN=44 TOS=0x00 PREC=0x00 TTL=50 ID=6991 PROTO=TCP SPT=43730 DPT=53 WINDOW=1024 RES=0x00 SYN URGP=0 |
|
| Back to top |
|
|
ranger719
Tux's lil' helper
Joined: 16 May 2006
Posts: 92
Location: Germany
|
| Posted: Mon Jun 18, 2007 6:29 pm Post subject: |
|
|
Nah! Found it:
log { source(kernsrc); filter(f_firewall); destination(firewall); };
kernsrc, not src...
Now it works.
Thanks anyway  |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Mon Jun 18, 2007 6:35 pm Post subject: |
|
|
| ranger719 wrote: | | Code: | source src { unix-stream("/dev/log"); internal(); };
source kernsrc { file("/proc/kmsg"); };
destination firewall { file("/var/log/firewall.log"); };
destination kern { file("/var/log/kern.log"); file("/dev/tty12"); };
filter f_firewall { facility(kern) and match("IPT*"); };
filter f_kern { facility(kern); };
log { source(src); filter(f_firewall); destination(firewall); };
log { source(kernsrc); filter(f_kern); destination(kern); };
|
|
Do you see the issue with your config? I've copied out the relevant parts only 
//edit: fine
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
ranger719
Tux's lil' helper
Joined: 16 May 2006
Posts: 92
Location: Germany
|
| Posted: Mon Jul 02, 2007 7:54 pm Post subject: Re: syslog-ng ignores filter-rule |
|
|
I have reopened this thread because I don't get the iptables-logs out of 'dmesg'
| Think4UrS11 wrote: | | d) the order (of destination objects) matters - if (and only if) flags(final) is used; log entries matching a log-object utilizing flags(final) will not be recored in any other logline stated below that in your conf. |
If a destination is reached where flags(final) is set, the packet will only be logged at this destination. Right?
But what about dmesg, where can I set what 'dmesg' reads and prints out? I found out that dmesg will print out things related to their log level. But even if I add '--log-level debug' to my iptables-log-rules they show up in dmesg-output. I found this thread: https://forums.gentoo.org/viewtopic-t-334079-highlight-.html But this is not really a solution for me, I don't want to use another logger. syslog-ng works fine for me.
So, how do I get rid of my firewall-log in dmesg? |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Mon Jul 02, 2007 8:04 pm Post subject: |
|
|
see How do I stop iptables logs going into dmesg?
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
ranger719
Tux's lil' helper
Joined: 16 May 2006
Posts: 92
Location: Germany
|
| Posted: Mon Jul 02, 2007 8:14 pm Post subject: |
|
|
Thats the link I posted, too. I dont see a solution there. If there is one please point it out. Should I use ulogd?
| Code: | eix ulogd
* app-admin/ulogd
Available versions: 1.23-r1 [M]~1.24
Homepage: http://netfilter.org/projects/ulogd/index.html
Description: A userspace logging daemon for netfilter/iptables related logging |
ulogd is only for iptables then? syslog-ng cannot handle iptables-logs in a way that they do not show up in dmesg? Is dmesg completly independent of syslog-ng? I do not know how dmesg gets its output.
edit: Ok, it just prints out the kernel-ringbuffer. So syslog-ng won't change the contents in there (I guess). I will try ulogd then. |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Mon Jul 02, 2007 8:38 pm Post subject: |
|
|
What dmesg prints out is always what it finds in the kernel ring buffers; afaik you cannot directly influence that (whats in there is in there) and LOG writes the events from iptables to this ring buffer. So the only way to get rid of them (have them not flooding the ring buffer) is to prevent the messages getting in there, i.e. using ULOG which doesn't write to /proc/kmsg but somewhere else.
So yes, you need to use ulogd additionally unless there's a trick i'm not yet aware of.
Or in other words - dmesg doesn't care at all about the configuration you have in syslog-ng, therefor you need to have the log target in iptables changed to something dmesg doesn't use as source - which leads to ulogd.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
ranger719
Tux's lil' helper
Joined: 16 May 2006
Posts: 92
Location: Germany
|
| Posted: Mon Jul 02, 2007 9:20 pm Post subject: |
|
|
Okay.
ulogd works now and my dmesg output is fine, too.
Just a note: ulogd will install but probably will not start, you need to have this in your kernel (modules are fine, too):
CONFIG_IP_NF_TARGET_ULOG=y
and I guess this, too:
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_NETLINK_LOG=y
The ebuild does not check for a suitable kernel-config, unlike some other ebuilds.
..and do not forget to do a '-j ULOG --ulog-prefix "whatever"' instead of '-j LOG --log-prefix "whatever"'.
Thank you, again |
|
| Back to top |
|
|
|
Other Things Gentoo
