Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Syslog-ng Separate IPTables Log [SOLVED]
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
rldawson
n00b
n00b


Joined: 20 May 2011
Posts: 19
PostPosted: Mon Jun 20, 2011 11:54 pm    Post subject: Syslog-ng Separate IPTables Log [SOLVED] Reply with quote
For quite some time now I have been trying to get syslog-ng to generate/use a separate log file for iptables. It would seem that the sources that I have looked at via Google do not help and I am now lost. Syslog-ng will not generate a log file, but the "iptables:" filter does seem to work and is placed in kern.log. I can only assume that I am missing something, or syslog-ng is faulty somehow.

This is the current state of my syslog-ng.conf file:
Code:
options {
   chain_hostnames(no);
   stats_freq(43200);
};

source src {
    unix-stream("/dev/log");
    internal();
};
source kernsrc {
    file("/proc/kmsg");
};

destination firewall { file("/var/log/firewall.log"); };
destination authlog { file("/var/log/auth.log"); };
destination _syslog { file("/var/log/syslog"); };
destination cron { file("/var/log/cron.log"); };
destination daemon { file("/var/log/daemon.log"); };
destination kern { file("/var/log/kern.log"); file("/dev/tty12"); };
destination lpr { file("/var/log/lpr.log"); };
destination user { file("/var/log/user.log"); };
destination uucp { file("/var/log/uucp.log"); };
#destination ppp { file("/var/log/ppp.log"); };
destination mail { file("/var/log/mail.log"); };

destination avc { file("/var/log/avc.log"); };
destination audit { file("/var/log/audit.log"); };
destination pax { file("/var/log/pax.log"); };
destination grsec { file("/var/log/grsec.log"); };

destination mailinfo { file("/var/log/mail.info"); };
destination mailwarn { file("/var/log/mail.warn"); };
destination mailerr { file("/var/log/mail.err"); };

destination newscrit { file("/var/log/news/news.crit"); };
destination newserr { file("/var/log/news/news.err"); };
destination newsnotice { file("/var/log/news/news.notice"); };

destination debug { file("/var/log/debug"); };
destination messages { file("/var/log/messages"); };
destination console { usertty("root"); };
destination console_all { file("/dev/tty12"); };
#destination loghost { udp("loghost" port(999)); };

destination xconsole { pipe("/dev/xconsole"); };

filter f_auth { facility(auth); };
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(authpriv, mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_firewall { match("^iptables: " value("MESSAGE")); };
filter f_kern { facility(kern) and not filter(f_firewall);};
#filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };
#filter f_ppp { facility(ppp); };
filter f_news { facility(news); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info..warn)
   and not facility(auth, authpriv, mail, news); };
filter f_emergency { level(emerg); };

filter f_info { level(info); };

filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };

filter f_avc { message(".*avc: .*"); };
filter f_audit { message("^(\\[.*\..*\] |)audit.*") and not message(".*avc: .*"); };
filter f_pax { message("^(\\[.*\..*\] |)PAX:.*"); };
filter f_grsec { message("^(\\[.*\..*\] |)grsec:.*"); };

log { source(kernsrc); filter(f_firewall); destination(firewall); };
log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(_syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(kernsrc); filter(f_kern); destination(kern); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_uucp); destination(uucp); };
log { source(kernsrc); filter(f_pax); destination(pax); };
log { source(kernsrc); filter(f_grsec); destination(grsec); };
log { source(kernsrc); filter(f_audit); destination(audit); };
log { source(kernsrc); filter(f_avc); destination(avc); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(src); filter(f_news); filter(f_crit); destination(newscrit); };
log { source(src); filter(f_news); filter(f_err); destination(newserr); };
log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); };
log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };
#log { source(src); filter(f_ppp); destination(ppp); };
log { source(src); destination(console_all); };


Last edited by rldawson on Wed Jun 22, 2011 1:36 pm; edited 1 time in total
Back to top
View user's profile Send private message
andrewthomas
Tux's lil' helper
Tux's lil' helper


Joined: 27 Apr 2010
Posts: 93
PostPosted: Tue Jun 21, 2011 7:48 pm    Post subject: Reply with quote
Here are the lines I use to log iptables to a separate log file and exclude them from /var/log/messages

Code:
destination iptables { file("/var/log/iptables"); };
filter f_iptables { facility(kern) and match("IN=" value("MESSAGE")) and match("OUT=" value("MESSAGE")); };
filter f_messages { not facility(auth, authpriv, kern) and not filter(f_iptables); };
log { source(kernsrc); filter(f_iptables); destination(iptables); };
Back to top
View user's profile Send private message
rldawson
n00b
n00b


Joined: 20 May 2011
Posts: 19
PostPosted: Tue Jun 21, 2011 11:53 pm    Post subject: Reply with quote
Thank-you so much. That worked very well. :)
Back to top
View user's profile Send private message
andrewthomas
Tux's lil' helper
Tux's lil' helper


Joined: 27 Apr 2010
Posts: 93
PostPosted: Wed Jun 22, 2011 7:02 pm    Post subject: Reply with quote
You are welcome.

Glad to be of help.
Back to top
View user's profile Send private message
Tiberian
n00b
n00b


Joined: 03 Jan 2008
Posts: 13
PostPosted: Thu Jun 23, 2011 3:18 pm    Post subject: Reply with quote
This is what I do:

Code:

iptables -A OUTPUT -j LOG --log-prefix firewall:
ip6tables -A OUTPUT -j LOG --log-prefix firewall6:
iptables -A INPUT -j LOG --log-prefix firewall:
ip6tables -A INPUT -j LOG --log-prefix firewall6:
$iptables -A INPUT -p tcp --dport ! 135 -j LOG --log-prefix firewall:
$iptables -A INPUT -i ! ppp0 -j LOG --log-prefix firewall:
iptables -A FORWARD -j LOG --log-prefix firewall:
ip6tables -A FORWARD -j LOG --log-prefix firewall6:


which puts a prefix in every line, that iptables puts out.

Code:

filter f_firewall { match(".*firewall:.*") or match(".*firewall6:.*"); };


filters it out[/quote]
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy