| View previous topic :: View next topic |
| Author |
Message |
chimpsky
Tux's lil' helper
Joined: 22 Nov 2003
Posts: 109
|
 Posted: Thu Jan 15, 2004 1:37 am Post subject: iptables log file |
 |
|
| I would like to move the logs from my iptables to a file of my choosing, currently they are all going to: /var/log/messages. I am using syslog-ng and i assume i have to edit: /etc/syslog-ng/syslog-ng.conf in order to do this, however, im pretty new to linux and gentoo, and have no idea about how to do this. Any suggestions would be very helpful, thanks |
|
| Back to top |
|
 |
fleed
l33t
Joined: 28 Aug 2002
Posts: 756
Location: London
|
| Posted: Thu Jan 15, 2004 12:41 pm Post subject: |
|
|
You need to add a filter and a destination for iptables (like this):
| Code: | destination d_iptables {file("/var/log/iptables/iptables.log"); };
filter f_iptables { match("\[DROPPED\]"); };
log { source(src_kern); filter(f_iptables); destination(d_iptables);};
|
That takes care of putting your iptables stuff in /var/log/iptables/iptables.log.
If you want to avoid seeing those message in your /var/log/messages file then you have to add a filter to cut them from the logs and add that filter to your definition of /var/log/messages | Code: |
filter f_notiptables { not match("\[DROPPED\]"); };
log { source(src); source(src_kern); filter(f_notiptables); destination(messages); }; |
Edit: Fixed typo above.
Last edited by fleed on Thu Jan 15, 2004 4:11 pm; edited 1 time in total |
|
| Back to top |
|
|
chimpsky
Tux's lil' helper
Joined: 22 Nov 2003
Posts: 109
|
| Posted: Thu Jan 15, 2004 2:21 pm Post subject: |
|
|
| thanks |
|
| Back to top |
|
|
chimpsky
Tux's lil' helper
Joined: 22 Nov 2003
Posts: 109
|
| Posted: Thu Jan 15, 2004 2:51 pm Post subject: |
|
|
actually im now having problems, when ever i try to run any iptables command i get the error:
modprobe: Can't locate module ip_tables
iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
when i set up iptables in make menuconfig i didnt setup anything to be a module if that helps answer this problem, but i dont know how to go about fixing this. |
|
| Back to top |
|
|
Decibels
Veteran
Joined: 16 Aug 2002
Posts: 1623
Location: U.S.A.
|
| Posted: Thu Jan 15, 2004 3:23 pm Post subject: |
|
|
Ya in menuconfig you will see 'IP tables support (required for filtering/Masq/NAT)' in 'Networking options/IP: Netfilter Configuration'
You can compile as module or in the kernel, I have it in kernel.
Plus you have userland iptables you have emerge also:
| Code: | * net-firewall/iptables
Latest version available: 1.2.8-r1
Latest version installed: 1.2.8-r1
Size of downloaded files: 122 kB
Homepage: http://www.iptables.org/
Description: Kernel 2.4 firewall, NAT and packet mangling tools |
_________________
Support bacteria – they’re the only culture some people have.”
– Steven Wright |
|
| Back to top |
|
|
chimpsky
Tux's lil' helper
Joined: 22 Nov 2003
Posts: 109
|
| Posted: Thu Jan 15, 2004 11:18 pm Post subject: |
|
|
| Actually, ignore what i said about the modprobe error. My problem is that after adding the lines of code to my syslog-ng.conf that fleed has suggested I get errors durring the boot sequence saying that syslog-ng, iptables, and vixie-cron have all failed to start. I dont know why this is I double checked all spelling in the code, if I take those lines out of the syslog-ng file everything works fine however my logs are still getting sent to messages. Any suggestions on how to make this work would be very helpful, thanks |
|
| Back to top |
|
|
Decibels
Veteran
Joined: 16 Aug 2002
Posts: 1623
Location: U.S.A.
|
| Posted: Thu Jan 15, 2004 11:38 pm Post subject: |
|
|
recopy the:
| Code: | | log { source(src); source(src_kern); filter(f_notiptables); destination(messages); }; |
typo fixed.
_________________
Support bacteria – they’re the only culture some people have.”
– Steven Wright |
|
| Back to top |
|
|
Decibels
Veteran
Joined: 16 Aug 2002
Posts: 1623
Location: U.S.A.
|
| Posted: Fri Jan 16, 2004 3:04 am Post subject: |
|
|
Cool, started watching this post in hopes of starting to clean up my log files.
I was seeing multiple stuff in log of things, like kern.log, syslog and messages.
So made the /var/log/iptables/iptables.log and got that going, then started filtering out all the stuff from pings, drops,... from the ones mentioned above.
Working so far, going to play with it some more. Here is what have so far, that have changed: (create /var/log/iptables/iptables.log)
| Code: | ## SOURCES
source src {
unix-stream("/dev/log");
internal();
udp();
tcp(port(5140) keep-alive(yes));
};
# Added this back by itself. In with other seems to clog up logs.
# Was in with src, but use to be on it's own like this
source kern_src { pipe("/proc/kmsg"); };
## DESTINATIONS
# Firewall
#
destination iptables {file("/var/log/iptables/iptables.log"); };
## FILTERS
filter f_messages { level(info..warn)
and not facility(auth, authpriv, mail, news, cron, daemon); };
filter f_portsentry { program("portsentry") or match("(PING|INVALID|DROP)"); };
filter f_noportsentry { not program("portsentry"); };
filter f_noiptables{ not match("(PING|INVALID|DROP)"); };
## LOG STATEMENTS
log { source(src); filter(f_syslog); filter(f_noportsentry); destination(syslog); };
log { source(src); filter(f_daemon); filter(f_noportsentry); destination(daemon); };
log { source(kern_src); filter(f_kern); filter(f_noiptables); destination(kern); };
log { source(src); filter(f_messages); destination(messages); };
# Added new /var/log/iptables/iptables.log and sending there for portsentry and iptables.
log { source(kern_src); source(src); filter(f_portsentry); destination(iptables); };
|
* Needed both sources with iptables.log to get kernel messages (pings,drops,..) and to get program portsentry.
Some rules to remember when doing the filters and logs:
| Code: | ## FILTERS
# You can create filters using the filter keyword:
# filter <filtername> { expression; };
# Where expression is a simple boolean expression. You can use "and",
# "or" and "not" to connect builtin functions. Functions can be one of:
# * facility(list of comma seperated facility names)
## where 'facility' is new statement optional for syslog, 'xxx' is choice of
## 'auth', 'authpriv', 'cron', 'daemon', 'ftp', 'kern', 'lpr', 'mail', 'mark',
## 'news', 'security' (same as auth), 'syslog', 'user', 'uucp' and 'local0' through 'local7'
#
# * level(list of comma seperated priority names OR a range separated by "..")
## debug, info, notice, warn, crit, alert, emerg, err
#
# * program(regexp to match program name)
# * host(regexp to match program name)
# * match(regexp to match program name) |
| Code: | ## LOG STATEMENTS
# You can connect sources and destinations using the log statement:
# log { source S1; source S2; ... filter F1; filter F2; ... destination D1; destination D2; ... };
# Where Sx refers to one of the declared log sources, Fx one of the filters and Dx one of the destinations.
# Filters are ANDed together |
The last line is the thing to remember and try to do your boolean in the filters. Makes it much easier, because you get AND, OR, NOT in the filters, where as only AND in the logs.
_________________
Support bacteria – they’re the only culture some people have.”
– Steven Wright
Last edited by Decibels on Fri Jan 16, 2004 4:39 am; edited 1 time in total |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
