packets loging

packets loging

[robee]

when i use -j LOG target, netfilter writes so many information to syslog. 
what can i use to write only IN and OUT interface, SRC and DST host?

robee 

Re: packets loging

[Mario]

robee wrote:

> when i use -j LOG target, netfilter writes so many information to 
> syslog. what can i use to write only IN and OUT interface, SRC and DST 
> host?
>
> robee
>
>
$myLoglevel=info ...

iptables -A _____ -i $intif -s $Src -o $outif -d $Dest ________ -j LOG 
--log-prefix "xxxxxxx" --log-level $myLoglevel

and a little change in syslog.conf... like: kern.=info 
/var/log/kern.info.log ....




__________________________________________________
Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam ¡gratis! 
Regístrate ya - http://correo.yahoo.com.mx/ 

Re: packets loging

[robee]

----- Original Message ----- 
From: "Mario" <mariounixuser@yahoo.com.mx>
To: "robee" <mlody@elpec.com>
Cc: <netfilter@lists.netfilter.org>
Sent: Thursday, April 20, 2006 10:47 PM
Subject: Re: packets loging

> robee wrote:
>> when i use -j LOG target, netfilter writes so many information to syslog. 
>> what can i use to write only IN and OUT interface, SRC and DST host?
>> robee
> $myLoglevel=info ...
> iptables -A _____ -i $intif -s $Src -o $outif -d $Dest ________ -j 
> LOG --log-prefix "xxxxxxx" --log-level $myLoglevel
> and a little change in syslog.conf... like: kern.=info 
> /var/log/kern.info.log ....
> __________________________________________________
> Correo Yahoo!
> Espacio para todos tus mensajes, antivirus y antispam ¡gratis! Regístrate 
> ya - http://correo.yahoo.com.mx/

my rules looks like this:
    iptables -I FORWARD -p tcp -i ! eth0 --dport 80 -m state --state NEW -j 
LOG --log-prefix HTTP_ --log-level info

and i get something like this in /var/log/kernel
    Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 
DST=213.54.82.29 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=57962 DF PROTO=TCP 
SPT=3636 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0

but i want only this:
    Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 
DST=213.54.82.29


any sugestion?

robee 

Re: packets loging

[Rob Sterenborg]

On Fri, April 21, 2006 08:34, robee wrote:

> my rules looks like this:
>     iptables -I FORWARD -p tcp -i ! eth0 --dport 80 -m state --state NEW -j
> LOG --log-prefix HTTP_ --log-level info
>
> and i get something like this in /var/log/kernel
>     Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2
> DST=213.54.82.29 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=57962 DF PROTO=TCP
> SPT=3636 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
>
> but i want only this:
>     Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2
> DST=213.54.82.29
>
>
> any sugestion?

AFAIK that isn't possible.
Why would you want to anyway ?


Gr,
Rob

Re: packets loging

[robee]

----- Original Message ----- 
From: "Rob Sterenborg" <rob@sterenborg.info>
To: <netfilter@lists.netfilter.org>
Sent: Friday, April 21, 2006 9:22 AM
Subject: Re: packets loging

> On Fri, April 21, 2006 08:34, robee wrote:
>> my rules looks like this:
>>     iptables -I FORWARD -p tcp -i ! eth0 --dport 80 -m state --state
>> NEW -j LOG --log-prefix HTTP_ --log-level info
>> and i get something like this in /var/log/kernel
>>     Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2
>> DST=213.54.82.29 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=57962 DF PROTO=TCP
>> SPT=3636 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
>> but i want only this:
>>     Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2
>> DST=213.54.82.29
>> any sugestion?
> AFAIK that isn't possible.
> Why would you want to anyway ?
> Gr,
> Rob


less data to write, less disk load

robee

Re: packets loging

[Rob Sterenborg]

On Fri, April 21, 2006 09:36, robee wrote:
>>> but i want only this:
>>>     Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2
>>> DST=213.54.82.29
>>> any sugestion?
>> AFAIK that isn't possible.
>> Why would you want to anyway ?
>> Gr,
>> Rob
>
>
> less data to write, less disk load

It must be a really busy box if this is going to hog your disk space|IO.
If you use the limit match ("-m limit --limit 1/sec" or something) your
logging will also be less.


Gr,
Rob

Re: packets loging

[robee]

----- Original Message ----- 
From: "Rob Sterenborg" <rob@sterenborg.info>
To: <netfilter@lists.netfilter.org>
Sent: Friday, April 21, 2006 9:57 AM
Subject: Re: packets loging

> On Fri, April 21, 2006 09:36, robee wrote:
>>>> but i want only this:
>>>>     Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2
>>>> DST=213.54.82.29
>>>> any sugestion?
>>> AFAIK that isn't possible.
>>> Why would you want to anyway ?
>>> Gr,
>>> Rob
>> less data to write, less disk load
> It must be a really busy box if this is going to hog your disk space|IO.
> If you use the limit match ("-m limit --limit 1/sec" or something) your
> logging will also be less.
> Gr,
> Rob

disk space is not a problem but disk usage increased 10 times during loging 
dstport 80 only. it is a gateway for large network.
When i use limit module is it possible that loging system miss some 
significant connection? or it has influence to particular destination host?

ex:

log like:
Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 
DST=213.54.82.29 ...
Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 
DST=82.140.223.12 ...
Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 
DST=112.212.123.2 ...
Apr 21 04:09:21 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 
DST=213.54.82.29 ...
Apr 21 04:09:22 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 
DST=213.54.82.29 ...
Apr 21 04:09:23 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 
DST=213.54.82.29 ...
Apr 21 04:09:24 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 
DST=213.54.82.29 ...

turns to:
Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 
DST=213.54.82.29 ...
Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 
DST=82.140.223.12 ...
Apr 21 04:09:20 master kernel: HTTP_IN=eth2 OUT=eth0 SRC=10.11.9.2 
DST=112.212.123.2 ...



robee

Re: packets loging

[Rob Sterenborg]

On Fri, April 21, 2006 10:52, robee wrote:
> disk space is not a problem but disk usage increased 10 times during loging
> dstport 80 only. it is a gateway for large network.

If it's so large, maybe you can setup a log-server and do remote logging.
(Have you also looked at ULOG ?) To me, logging *all* packets to dport 80
seems to be overkill but that's up to you.

> When i use limit module is it possible that loging system miss some
> significant connection?

Yes, you *will* miss packets when limiting LOG (as you have a busy network).
I think the most important packet is the first one in a connection so you can
also choose to just log the NEW packets :

$ipt -A INPUT -m state --state NEW -p tcp --dport 80 \
  -j LOG --log-level <...> --log-prefix "<...>"


Gr,
Rob

Re: packets loging

[Jakub Wartak]

Dnia czwartek, 20 kwietnia 2006 08:38, robee napisa³:
> when i use -j LOG target, netfilter writes so many information to syslog.
> what can i use to write only IN and OUT interface, SRC and DST host?

Get a syslog-ng up && running. 
Create filter to match only entries you are interested in ( iptables 
--log-prefix "something-unique"  + filter { } definition in syslog-ng.conf )
Try to catch this "prefix" and direct it into pipe ( you can feed some SQL 
backend with it or write small daemon/script that will read this pipe line by 
line and extract information that you want to store/you are interested in ).

And also try NOT to log netfilter messages info messages/kernel and so on 
( performance reasons ).  This can be achived by using "not 
match(somestring)" in log {} section.

-- 
Jakub Wartak
-vnull
Abstrakcyjna plciowosc szczekoczulek Konstantego.
http://vnull.pcnet.com.pl/