Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] syslog-ng filters and iptables.
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
cibonato
Apprentice
Apprentice


Joined: 25 Apr 2006
Posts: 200
Location: Macross City

PostPosted: Sat Apr 16, 2011 2:53 am    Post subject: [SOLVED] syslog-ng filters and iptables. Reply with quote

Well, I'm trying to log iptables messages to a separate file.

I set syslog-ng this way:

Code:

options {
        chain_hostnames(no);

        # The default action of syslog-ng is to log a STATS line
        # to the file every 10 minutes.  That's pretty ugly after a while.
        # Change it to every 12 hours so you get a nice daily update of
        # how many messages syslog-ng missed (0).
        stats_freq(43200);
};

source src {
    unix-stream("/dev/log" max-connections(256));
    internal();
    file("/proc/kmsg");
};

destination messages { file("/var/log/messages"); };
destination iptables { file("/var/log/iptables.log"); };
destination console_all { file("/dev/tty12"); };

filter f_iptables { match("^IPTABLES" value("MESSAGE")); };
filter f_messages { not filter(f_iptables); };

log { source(src); filter(f_iptables); destination(iptables); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); destination(console_all); };


On the other hand, the prefixes iptables is set to use are "SSH IN: ", "IPTABLES BLOCK: ", "IPTABLES INVALID (ppp0): " and "IPTABLES INVALID (eth1): ". Right now, what I want to is to put all the messages beginning with IPTABLES in a new file.

Using the filters I paste above it is not working. The file /var/log/iptables.log is not even created and /var/log/message receives all IPTABLES messages.

Suggestions?

Greetings.
_________________
64 Bits, good good!


Last edited by cibonato on Sun Apr 24, 2011 5:24 pm; edited 1 time in total
Back to top
View user's profile Send private message
erik258
Advocate
Advocate


Joined: 12 Apr 2005
Posts: 2650
Location: Twin Cities, Minnesota, USA

PostPosted: Sun Apr 17, 2011 3:58 pm    Post subject: Reply with quote

What you have seems more or less right, but there must be some small flaw.

Since its failing to both spawn a separate logfile, and also failing to filter these messages from the main logfile, it seems logical to assume that the filter you've written is failing to match anything. Looking into it, you're using the "match( regexp value($MACRO) )" syntax described in the syslog-ng manpage (see below). The only $MACRO values I can find in the manpage are MSG and MSGHDR. I don't see a mention of the macro you're supplying, MESSAGES. But looking a little farther into it, I find that a match on the MSG section of log messages is the equivalent of the message(regexp) filter. So I think there's two possible reasons this isn't working for you: 1) that the MESSAGES macro is indeed incorrect as I've suggested here, and that you should use MSG instead, or better yet, the message filter:
Code:
filter f_iptables { message("^IPTABLES"); };

Or 2) that IPTABLES is actually in the message header. In which case you'd probably want to simplify that filter line down to something like:
Code:
filter f_iptables { match("^IPTABLES"); };


I learned all this from the man pages on syslog-ng.conf. Try `man syslog-ng.conf` and `man syslog-ng` to dig deeper for yourself. The manpages are invaluable resources, and many common system daemons like syslog-ng also provide manpages for their configuration files, which are incredibly helpful in circumstances such as this.

If you have further problems, I recommend looking at the syslog-ng man page (man syslog-ng) to discover how to use the -d option to run syslog-ng in debugging mode. That might help you get an error from syslog that can point you in the right direction. Finally, this appears to be the definitive syslog-ng 3.0 admin guide, as referenced by the syslog-ng.conf man page (man syslog-ng.conf):

http://www.balabit.com/support/documentation/documents/syslog-ng-v3.0-guide-admin-en.html/bk01-toc.html

Let the forums know if it helps!
_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit!
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4887
Location: Dallas area

PostPosted: Sun Apr 17, 2011 4:12 pm    Post subject: Reply with quote

for me (the relevant lines from syslog conf)

destination iptables { file("/var/log/firewall" perm(0640)); };

filter f_iptables { match("IPTABLES:"); };

filter f_messages { level(info..warn) and not filter (f_iptables) and not filter (f_sudo) and not filter (f_snort) and not facility(cron, mail, auth, authpriv); };

log { source(src); filter(f_iptables); destination(iptables); };
_________________
PRIME x570-pro, 3700x, RX 550 - 5.8 zen kernel
Acer E5-575 (laptop), i3-7100u - i965 - 5.5 zen kernel
---both---
gcc 9.3.0, profile 17.1 (no-pie & modified) amd64-no-multilib, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
cibonato
Apprentice
Apprentice


Joined: 25 Apr 2006
Posts: 200
Location: Macross City

PostPosted: Sun Apr 24, 2011 5:11 pm    Post subject: Reply with quote

Dear erik258, thank you very much for writing these words, but none of your suggestions solved the problem (by the way, I tried then before posting to the forum). Please believe me, I also checked the manpages and syslog-ng Admin Guide.

For example, if you check section 3.6 of this guide you'll see they suggest using MESSAGE macro instead of MSG macro:

Code:
filter demo_filter { host("example") and match("deny" value("MESSAGE")); };


You're correct there's no MESSAGE macro in syslog-ng.conf manpage, but using MESSAGE or MSG does not change the results. I mean, I don't get iptables messages in a different file. In both cases syslog-ng does not complain about syntax problems, so it does not seem wrong suppose both syntaxes are correct.

On the other hand, if I use this filter:

Code:
filter f_iptables { message("^IPTABLES"); };


I still don't get what I want, and using that one:

Code:
filter f_iptables { match("^IPTABLES"); };


Makes the system give a warning regarding deprecated options:

Code:
WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please update your configuration;


Here goes a typical message iptables is logging to /var/log/messages; it makes me suppose trying to match "^IPTABLES" regex is correct.

Code:
Apr 24 14:23:46 localhost kernel: [81644.840270] IPTABLES BLOCK: IN=ppp0 OUT= MAC= SRC=aaa.bbb.ccc.ddd DST=xxx.yyy.zzz.ttt LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=12886 DF PROTO=TCP SPT=3615 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0


So let's keep trying to solve this issue. Thank you again very much for your time, once a I get this solved I'll update this post.

Greetings.
_________________
64 Bits, good good!
Back to top
View user's profile Send private message
cibonato
Apprentice
Apprentice


Joined: 25 Apr 2006
Posts: 200
Location: Macross City

PostPosted: Sun Apr 24, 2011 5:23 pm    Post subject: Reply with quote

It's solved... the suggestion Anon-E-moose gave did the trick. It seems is mandatory to set the filter based upon the log level. I did some changes to what was posted in this thread and this is what I have now:

Code:
options {
        chain_hostnames(no);
        stats_freq(43200);
};

source src {
    unix-stream("/dev/log" max-connections(256));
    internal();
    file("/proc/kmsg");
};

destination messages { file("/var/log/messages"); };
destination iptables { file("/var/log/iptables.log"); };
destination console_all { file("/dev/tty12"); };

filter f_iptables { match("IPTABLES" value("MESSAGE")); };
filter f_messages { (level(info..warn) and not filter (f_iptables)); };                                                               

log { source(src); filter(f_iptables); destination(iptables); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); destination(console_all); };


Everything is working as expected and I'm pretty happy! Thank very much all of you guys.
_________________
64 Bits, good good!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum