Re: syslogging firewall data to an external file

[Georgi Alexandrov <tehlists@hotpop.com>]

matt wrote:

>Hi all,
>
>Apologies if this post is more a kernel/syslog post, but from what I’ve read
>part of it is netfilter.
>
>I have a linux box that’s has an iptables rule -A INPUT -j LOG --log-prefix
>"FIREWALL:INPUT"
>
>Which is basiclly my last rule, so if my other rules haven’t been matched it
>will log it into the syslog
>
>My syslog config looks like this
>
>auth,authpriv.* -/var/log/auth.log
>*.*;auth,authpriv.none -/var/log/sys.log
>daemon.* -/var/log/daemon.log
>kern.* -/var/log/kern.log
>mail.* -/var/log/mail.log
>user.* -/var/log/user.log
>*.emerg *
>
>So kernel warnings go to kern.log – mail alerts go to mail.log etc thus
>keeping the actual syslog clean of anything other than core stuff. However
>my syslog is getting flooded with firewall data. I’ve read in the FAQ that
>explains how the priority of the logging feature is used with syslog,
>however I was wondering if there was anyway I could configure
>netfilter/syslog to something like this
>
>kern.* -/var/log/kern.log
>mail.* -/var/log/mail.log
>user.* -/var/log/user.log
>netfilter.* /var/log/firewall.log
>
>so that once again the syslog logs only “core” data and all the general
>netfilter jazz goes to the firewall.log, so that should I need to I can
>study it, yet keeping the syslog clear.
>
>Thanks,
>
>Matt
>
>
>  
>
Hello,

Use the ULOG (userspace logging) target and the ulogd deamon. That way 
you may specify logging to a particular file (supports sql logging too).
More at: http://iptables-tutorial.frozentux.net/iptables-tutorial.html

regards,
Georgi Alexandrov