* netfilter logging
@ 2005-06-08 13:25 Jimmy
2005-06-08 13:34 ` Vincent Lenouvel
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: Jimmy @ 2005-06-08 13:25 UTC (permalink / raw)
To: netfilter
Hello,
I have just started to log my iptables drops. As seen with this line in my
iptables-save output.
-A INPUT -j LOG --log-level 1
-A INPUT -j LOG --log-prefix "Dropped: "
What I would like to know is how I can get iptables to NOT log to console
only to the message logs. Currently it goes into /var/log/syslog
Here is my syslog configuration. I cant see whats wrong with it.
# /etc/syslog.conf
# For info about the format of this file, see "man syslog.conf"
# and /usr/doc/sysklogd/README.linux. Note the '-' prefixing some
# of these entries; this omits syncing the file after every logging.
# In the event of a crash, some log information might be lost, so
# if this is a concern to you then you might want to remove the '-'.
# Be advised this will cause a performation loss if you're using
# programs that do heavy logging.
# Uncomment this to see kernel messages on the console.
#kern.* /dev/console
# Log anything 'info' or higher, but lower than 'warn'.
# Exclude authpriv, cron, mail, and news. These are logged elsewhere.
*.info;*.!warn;\
authpriv.none;cron.none;mail.none;news.none -/var/log/messages
# Log anything 'warn' or higher.
# Exclude authpriv, cron, mail, and news. These are logged elsewhere.
*.warn;\
authpriv.none;cron.none;mail.none;news.none -/var/log/syslog
# Debugging information is logged here.
*.=debug -/var/log/debug
# Private authentication message logging:
authpriv.* -/var/log/secure
# Cron related logs:
cron.* -/var/log/cron
# Mail related logs:
mail.* -/var/log/maillog
# Emergency level messages go to all users:
*.emerg *
# This log is for news and uucp errors:
uucp,news.crit -/var/log/spooler
# Uncomment these if you'd like INN to keep logs on everything.
# You won't need this if you don't run INN (the InterNetNews daemon).
#news.=crit -/var/log/news/news.crit
#news.=err -/var/log/news/news.err
#news.notice -/var/log/news/news.notice
Any advice would be great.
Thanks
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: netfilter logging
2005-06-08 13:25 netfilter logging Jimmy
@ 2005-06-08 13:34 ` Vincent Lenouvel
2005-06-08 17:26 ` /dev/rob0
2005-06-08 15:52 ` Georgi Alexandrov
` (2 subsequent siblings)
3 siblings, 1 reply; 6+ messages in thread
From: Vincent Lenouvel @ 2005-06-08 13:34 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 802 bytes --]
On Wed, 8 Jun 2005 14:25:33 +0100 (BST)
"Jimmy" <squid@oranged.to> wrote:
> Hello,
>
> I have just started to log my iptables drops. As seen with this line in my
> iptables-save output.
>
> -A INPUT -j LOG --log-level 1
> -A INPUT -j LOG --log-prefix "Dropped: "
>
> What I would like to know is how I can get iptables to NOT log to console
> only to the message logs. Currently it goes into /var/log/syslog
>
cf /usr/src/linux/kernel/printk.c
echo "4 4 1 7"> /proc/sys/kernel/printk
[...]
--
Vincent Lenouvel - <vincent@info.unicaen.fr>
Université de Caen, Campus II, Bd Maréchal Juin, BP 5186, 14032 Caen
Empreinte de la clé = D14D EFE9 4F55 AF89 98B0 666B 17E5 C840 4B0D 80E4
wget -O - http://users.info.unicaen.fr/~vincent/signature.asc | gpg --import
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: netfilter logging
2005-06-08 13:25 netfilter logging Jimmy
2005-06-08 13:34 ` Vincent Lenouvel
@ 2005-06-08 15:52 ` Georgi Alexandrov
2005-06-08 17:14 ` /dev/rob0
2005-06-10 18:02 ` Jason Opperisano
3 siblings, 0 replies; 6+ messages in thread
From: Georgi Alexandrov @ 2005-06-08 15:52 UTC (permalink / raw)
To: netfilter
Jimmy wrote:
>Hello,
>
>I have just started to log my iptables drops. As seen with this line in my
>iptables-save output.
>
>-A INPUT -j LOG --log-level 1
>-A INPUT -j LOG --log-prefix "Dropped: "
>
>What I would like to know is how I can get iptables to NOT log to console
>only to the message logs. Currently it goes into /var/log/syslog
>
>Here is my syslog configuration. I cant see whats wrong with it.
>
># /etc/syslog.conf
># For info about the format of this file, see "man syslog.conf"
># and /usr/doc/sysklogd/README.linux. Note the '-' prefixing some
># of these entries; this omits syncing the file after every logging.
># In the event of a crash, some log information might be lost, so
># if this is a concern to you then you might want to remove the '-'.
># Be advised this will cause a performation loss if you're using
># programs that do heavy logging.
>
># Uncomment this to see kernel messages on the console.
>#kern.* /dev/console
>
># Log anything 'info' or higher, but lower than 'warn'.
># Exclude authpriv, cron, mail, and news. These are logged elsewhere.
>*.info;*.!warn;\
> authpriv.none;cron.none;mail.none;news.none -/var/log/messages
>
># Log anything 'warn' or higher.
># Exclude authpriv, cron, mail, and news. These are logged elsewhere.
>*.warn;\
> authpriv.none;cron.none;mail.none;news.none -/var/log/syslog
>
># Debugging information is logged here.
>*.=debug -/var/log/debug
>
># Private authentication message logging:
>authpriv.* -/var/log/secure
>
># Cron related logs:
>cron.* -/var/log/cron
>
># Mail related logs:
>mail.* -/var/log/maillog
>
># Emergency level messages go to all users:
>*.emerg *
>
># This log is for news and uucp errors:
>uucp,news.crit -/var/log/spooler
>
># Uncomment these if you'd like INN to keep logs on everything.
># You won't need this if you don't run INN (the InterNetNews daemon).
>#news.=crit -/var/log/news/news.crit
>#news.=err -/var/log/news/news.err
>#news.notice -/var/log/news/news.notice
>
>
>Any advice would be great.
>
>Thanks
>
>
>
Hello,
Try the ULOG target [1] and the ulogd daemon [2].
That combination will allow you to log to a particular file.
[1] - http://iptables-tutorial.frozentux.net/iptables-tutorial.html
[2] - http://freshmeat.net/projects/ulogd/
regards,
Georgi Alexandrov
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: netfilter logging
2005-06-08 13:25 netfilter logging Jimmy
2005-06-08 13:34 ` Vincent Lenouvel
2005-06-08 15:52 ` Georgi Alexandrov
@ 2005-06-08 17:14 ` /dev/rob0
2005-06-10 18:02 ` Jason Opperisano
3 siblings, 0 replies; 6+ messages in thread
From: /dev/rob0 @ 2005-06-08 17:14 UTC (permalink / raw)
To: netfilter
Jimmy wrote:
> I have just started to log my iptables drops. As seen with this line in my
> iptables-save output.
IMO a big mistake. Well, it's not so much a mistake as it is an
important exercise to show you how much useless logging netfilter can
produce. My firewalls now generally do very little logging, logging only
for specific purposes.
> -A INPUT -j LOG --log-level 1
> -A INPUT -j LOG --log-prefix "Dropped: "
Ouch!!
> What I would like to know is how I can get iptables to NOT log to console
> only to the message logs. Currently it goes into /var/log/syslog
First, understand that this is more a syslogd question than a netfilter
one. Second, understand what --log-level 1 is! Of course that logs to
console:
> Here is my syslog configuration. I cant see whats wrong with it.
(It's typical. You could have cut out the comments, BTW.)
> # /etc/syslog.conf
> [snip]
> # Emergency level messages go to all users:
> *.emerg *
From iptables(8):
--log-level level
Level of logging (numeric or see syslog.conf(5)).
The pointer is incorrect, at least for my Slackware: numeric levels are
listed in syslog(2), not in syslog.conf(5). If you meant debug, I think
that is "--log-level 8" (or just "--log-level debug").
Finally, and this IS your iptables issue: you have two LOG target lines,
thus the aforementioned "ouch". You're logging first with --log-level 1
and again with the --log-prefix "Dropped: ".
Delete all those log files. Have fun. :)
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: netfilter logging
2005-06-08 13:34 ` Vincent Lenouvel
@ 2005-06-08 17:26 ` /dev/rob0
0 siblings, 0 replies; 6+ messages in thread
From: /dev/rob0 @ 2005-06-08 17:26 UTC (permalink / raw)
To: netfilter
Vincent Lenouvel wrote:
> echo "4 4 1 7"> /proc/sys/kernel/printk
>
> [...]
http://www.linux.it/~rubini/docs/sysctl/sysctl.html
Interesting. But wouldn't that still print emerg messages to console?
Does it not make more sense to change the --log-level being used?
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: netfilter logging
2005-06-08 13:25 netfilter logging Jimmy
` (2 preceding siblings ...)
2005-06-08 17:14 ` /dev/rob0
@ 2005-06-10 18:02 ` Jason Opperisano
3 siblings, 0 replies; 6+ messages in thread
From: Jason Opperisano @ 2005-06-10 18:02 UTC (permalink / raw)
To: netfilter
On Wed, Jun 08, 2005 at 02:25:33PM +0100, Jimmy wrote:
> Hello,
>
> I have just started to log my iptables drops. As seen with this line in my
> iptables-save output.
>
> -A INPUT -j LOG --log-level 1
> -A INPUT -j LOG --log-prefix "Dropped: "
>
> What I would like to know is how I can get iptables to NOT log to console
> only to the message logs. Currently it goes into /var/log/syslog
change your log level from 1 to something less critical; like say, 4.
and then type this on the console:
dmesg -n 1
which will only print truly critical messages to the console (level 0
and 1).
-j
--
"Woman: Stewie, you want a cookie?
Stewie: I smell death on you."
--Family Guy
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2005-06-10 18:02 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-06-08 13:25 netfilter logging Jimmy
2005-06-08 13:34 ` Vincent Lenouvel
2005-06-08 17:26 ` /dev/rob0
2005-06-08 15:52 ` Georgi Alexandrov
2005-06-08 17:14 ` /dev/rob0
2005-06-10 18:02 ` Jason Opperisano
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox