logging to console

logging to console

[Hurley, Michael]

Using iptables 1.2.8-8.72.3 on Red Hat Linux 7.3, kernel 2.4.20-20.7.

Haven't found a solution to this so far: iptables LOG is logging to console.
This only occurs on the consoles directly connected to the machine. Logging
in remotely does not have this problem.

Here's what I've tried so far, w/o success:
set log-level to notice, added kern.=notice /var/log/firewall to
syslog.conf, restarted syslogd.
set log-level to warning, added kern.=warning /var/log/firewall to
syslog.conf, restarted syslogd.

Still keeps on logging to local consoles. (BTW, kern.* is not accounted for
in syslog.conf).

I haven't tried setting the printk values yet (at present, the values are 6
4 1 7)--unsure of what the consequences might be of tinkering with that.

What is the best way to stop this irritating behavior? Thanks,


Michael Hurley
mhurley@law.uconn.edu 

Re: logging to console

[Antony Stone]

On Tuesday 16 December 2003 3:59 pm, Hurley, Michael wrote:

> Using iptables 1.2.8-8.72.3 on Red Hat Linux 7.3, kernel 2.4.20-20.7.
>
> Haven't found a solution to this so far: iptables LOG is logging to
> console. This only occurs on the consoles directly connected to the
> machine. Logging in remotely does not have this problem.

Try using the numeric values in your netfilter LOG rules instead of the words 
notice and warning for the log-level.

Antony.

-- 
"Note: Windows 98, Windows 98SE and Windows 95 are not affected by [MS
Blaster].   However, these products are no longer supported.   Users of these
products are strongly encouraged to upgrade to later versions."

(which *are* affected by MS Blaster...)

http://www.microsoft.com/security/security_bulletins/ms03-026.asp

                                                     Please reply to the list;
                                                           please don't CC me.

Re: logging to console

[James Pattie]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hurley, Michael wrote:
| Using iptables 1.2.8-8.72.3 on Red Hat Linux 7.3, kernel 2.4.20-20.7.
|
| Haven't found a solution to this so far: iptables LOG is logging to console.
| This only occurs on the consoles directly connected to the machine. Logging
| in remotely does not have this problem.
|
| Here's what I've tried so far, w/o success:
| set log-level to notice, added kern.=notice /var/log/firewall to
| syslog.conf, restarted syslogd.
| set log-level to warning, added kern.=warning /var/log/firewall to
| syslog.conf, restarted syslogd.
|
| Still keeps on logging to local consoles. (BTW, kern.* is not accounted for
| in syslog.conf).
|
| I haven't tried setting the printk values yet (at present, the values are 6
| 4 1 7)--unsure of what the consequences might be of tinkering with that.
|
| What is the best way to stop this irritating behavior? Thanks,
|
|

a temporary solution is to issue: dmesg -n 1
at the console.  that stops it outputting on the active console, but it still
goes into dmesg, etc.

- --
James A. Pattie
james@pcxperience.com

Linux  --  SysAdmin / Programmer
Xperience, Inc.
http://www.pcxperience.com/
http://www.xperienceinc.com/

GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/3zLRtUXjwPIRLVERAldvAJ9kFqRQDaEyDmRvG92w/2IVt+YpmQCg4UIz
PnS2BJ0oTdfIo01WqELk+Nk=
=zIRK
-----END PGP SIGNATURE-----


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.

RE: logging to console

[Hurley, Michael]

Thanks for your reply, Antony. Changing the log-level to 7 seems to have
done the trick. 

The question then is:
How do I now capture iptables messages to their own log (/var/log/firewall)?

I suppose I could grep for the log-prefix and redirect the output into
/var/log/firewall, but if there's a simpler way, that'd be swell.

Thanks!


-----Original Message-----
From: Antony Stone [mailto:Antony@Soft-Solutions.co.uk]
Sent: Tuesday, December 16, 2003 11:23 AM
To: Netfilter (E-mail)
Subject: Re: logging to console


On Tuesday 16 December 2003 3:59 pm, Hurley, Michael wrote:

> Using iptables 1.2.8-8.72.3 on Red Hat Linux 7.3, kernel 2.4.20-20.7.
>
> Haven't found a solution to this so far: iptables LOG is logging to
> console. This only occurs on the consoles directly connected to the
> machine. Logging in remotely does not have this problem.

Try using the numeric values in your netfilter LOG rules instead of the
words 
notice and warning for the log-level.

Antony.

-- 
"Note: Windows 98, Windows 98SE and Windows 95 are not affected by [MS
Blaster].   However, these products are no longer supported.   Users of
these
products are strongly encouraged to upgrade to later versions."

(which *are* affected by MS Blaster...)

http://www.microsoft.com/security/security_bulletins/ms03-026.asp

                                                     Please reply to the
list;
                                                           please don't CC
me.

RE: logging to console

[Ben]

I'd be interested in knowing how to do this as well

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Hurley, Michael
Sent: Tuesday, December 16, 2003 11:45 AM
To: Netfilter (E-mail)
Subject: RE: logging to console

Thanks for your reply, Antony. Changing the log-level to 7 seems to have
done the trick. 

The question then is:
How do I now capture iptables messages to their own log (/var/log/firewall)?

I suppose I could grep for the log-prefix and redirect the output into
/var/log/firewall, but if there's a simpler way, that'd be swell.

Thanks!

Re: logging to console

[Antony Stone]

On Tuesday 16 December 2003 5:10 pm, Ben wrote:

> I'd be interested in knowing how to do this as well

I thik several people would.   It's come up a few times before on this list.   
Short of delving into the netfilter source code, I don't know of a way to do 
it.

Maybe the ULOG target would help in this case, instead of LOG?

Antony.

> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Hurley, Michael
> Sent: Tuesday, December 16, 2003 11:45 AM
> To: Netfilter (E-mail)
> Subject: RE: logging to console
>
> Thanks for your reply, Antony. Changing the log-level to 7 seems to have
> done the trick.
>
> The question then is:
> How do I now capture iptables messages to their own log
> (/var/log/firewall)?
>
> I suppose I could grep for the log-prefix and redirect the output into
> /var/log/firewall, but if there's a simpler way, that'd be swell.
>
> Thanks!

-- 
Normal people think "If it ain't broke, don't fix it".
Engineers think "If it ain't broke, it doesn't have enough features yet".

                                                     Please reply to the list;
                                                           please don't CC me.

Re: logging to console

[Laurence J. Lane]

On Tue, Dec 16, 2003 at 05:19:31PM +0000, Antony Stone wrote:

[ re sending netfilter logs to a separate file ]

> I thik several people would. It's come up a few times before on
> this list. Short of delving into the netfilter source code, I
> don't know of a way to do it.

syslog-ng may interest you.

RE: logging to console

[Hurley, Michael]

Actually, I got a response directly to me that solved the problem. This is
effectively dumping all my iptables messages to their own log:

>I set my logging in my firewall script to
>iptables -A FORWARD -j LOG --log-level 7 --log-prefix "FORWARD: "
>
>Then in /etc/syslog.conf:
>
>kern.7	-/var/log/firewall
>
>On a side note in /etc/sysconfig/syslog I modified the -c parameter, this
>controls the console logging level.
>KLOGD_OPTIONS="-x -c 4" 

I didn't bother tinkering with klogd, but I thought I'd reproduce the
message I got in full for anyone else who might find this as useful as I
did. 

- Michael Hurley


-----Original Message-----
From: Laurence J. Lane [mailto:ljlane@nontoxic.org]
Sent: Tuesday, December 16, 2003 6:34 PM
To: netfilter@lists.netfilter.org
Subject: Re: logging to console


On Tue, Dec 16, 2003 at 05:19:31PM +0000, Antony Stone wrote:

[ re sending netfilter logs to a separate file ]

> I thik several people would. It's come up a few times before on
> this list. Short of delving into the netfilter source code, I
> don't know of a way to do it.

syslog-ng may interest you.