syslogging firewall data to an external file

syslogging firewall data to an external file

[matt]

Hi all,

Apologies if this post is more a kernel/syslog post, but from what I’ve read
part of it is netfilter.

I have a linux box that’s has an iptables rule -A INPUT -j LOG --log-prefix
"FIREWALL:INPUT"

Which is basiclly my last rule, so if my other rules haven’t been matched it
will log it into the syslog

My syslog config looks like this

auth,authpriv.* -/var/log/auth.log
*.*;auth,authpriv.none -/var/log/sys.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
*.emerg *

So kernel warnings go to kern.log – mail alerts go to mail.log etc thus
keeping the actual syslog clean of anything other than core stuff. However
my syslog is getting flooded with firewall data. I’ve read in the FAQ that
explains how the priority of the logging feature is used with syslog,
however I was wondering if there was anyway I could configure
netfilter/syslog to something like this

kern.* -/var/log/kern.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
netfilter.* /var/log/firewall.log

so that once again the syslog logs only “core” data and all the general
netfilter jazz goes to the firewall.log, so that should I need to I can
study it, yet keeping the syslog clear.

Thanks,

Matt


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.7.4 - Release Date: 18/03/2005
 

Re: syslogging firewall data to an external file

[Georgi Alexandrov]

matt wrote:

>Hi all,
>
>Apologies if this post is more a kernel/syslog post, but from what I’ve read
>part of it is netfilter.
>
>I have a linux box that’s has an iptables rule -A INPUT -j LOG --log-prefix
>"FIREWALL:INPUT"
>
>Which is basiclly my last rule, so if my other rules haven’t been matched it
>will log it into the syslog
>
>My syslog config looks like this
>
>auth,authpriv.* -/var/log/auth.log
>*.*;auth,authpriv.none -/var/log/sys.log
>daemon.* -/var/log/daemon.log
>kern.* -/var/log/kern.log
>mail.* -/var/log/mail.log
>user.* -/var/log/user.log
>*.emerg *
>
>So kernel warnings go to kern.log – mail alerts go to mail.log etc thus
>keeping the actual syslog clean of anything other than core stuff. However
>my syslog is getting flooded with firewall data. I’ve read in the FAQ that
>explains how the priority of the logging feature is used with syslog,
>however I was wondering if there was anyway I could configure
>netfilter/syslog to something like this
>
>kern.* -/var/log/kern.log
>mail.* -/var/log/mail.log
>user.* -/var/log/user.log
>netfilter.* /var/log/firewall.log
>
>so that once again the syslog logs only “core” data and all the general
>netfilter jazz goes to the firewall.log, so that should I need to I can
>study it, yet keeping the syslog clear.
>
>Thanks,
>
>Matt
>
>
>  
>
Hello,

Use the ULOG (userspace logging) target and the ulogd deamon. That way 
you may specify logging to a particular file (supports sql logging too).
More at: http://iptables-tutorial.frozentux.net/iptables-tutorial.html

regards,
Georgi Alexandrov

Re: syslogging firewall data to an external file

[Jason Opperisano]

On Sun, 2005-03-20 at 16:40, Georgi Alexandrov wrote:
> Use the ULOG (userspace logging) target and the ulogd deamon. That way 
> you may specify logging to a particular file (supports sql logging too).
> More at: http://iptables-tutorial.frozentux.net/iptables-tutorial.html

in addition to the ULOG target/ulogd solution (which is the easier way
to go), you could also use syslog-ng as your syslog daemon and use its
filtering capabilities to say, dump all logs entries with the string
"FIREWALL" into /var/log/firewall.

-j

--
"Asleep at the switch?  I wasn't asleep, I was drunk!"
	--The Simpsons