MonitorWare Knowledge Base

Hi,
Trying to get iptables, and soon named logs to not show up in messages, but rather their own log files (on F10)
I set iptables logging to:

Code: Select all

-A RH-Firewall-1-INPUT -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables denied: " --log-level 6

Then tried numerous syntax to get it to log to /var/log/iptables.
Here is current rsyslog.conf rules with mine in there.

Code: Select all

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
:msg,!contains,"iptables" *.info;mail.none;authpriv.none;cron.none              /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

# iptables la~
:msg,contains,"iptables"  *.*                              /var/log/iptables


and here is an output of iptables in messages log file.

Code: Select all

Feb 20 12:04:51 fedora kernel: iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:9f:68:af:08:00 RC=172.20.0.15 DST=172.20.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=21864 PROTO=UDP SPT=137 DPT=137 LEN=58


Any examples on how to get the filtering to work that way?

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

Different way to approach the problem - filter out the data so it never gets that far.

Code: Select all

:msg,contains,"iptables"  *.*                              /var/log/iptables
& ~
*.info;mail.none;authpriv.none;cron.none              /var/log/messages

In my eye, it's "cleaner" since the data wont have to be processed further once it's been removed.

Hi trefalgar, thanks for the reply.
It throws an error =\

Code: Select all

Feb 24 13:22:11 fedora rsyslogd-3000: invalid character in selector line - ';template' expected [try http://www.rsyslog.com/e/3000 ]
Feb 24 13:22:11 fedora rsyslogd: the last error occured in /etc/rsyslog.conf, line 40


Here is the modified area, line 40 is the :msg line.

Code: Select all

# Get iptables logged, then
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
:msg,contains,"iptables" *.*                            /var/log/iptables
& ~
*.info;mail.none;authpriv.none;cron.none                /var/log/messages


This is because you have too many arguments specified. Try removing the "*.*" to give you following:

Code: Select all

# Get iptables logged, then
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
:msg,contains,"iptables"                            /var/log/iptables
& ~
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

Personally, I use the following on my central server to discard messages:

Code: Select all

# Discard any messages containing the below iptables-related output
if $syslogtag == 'kernel:' and $msg startswith ' IN=eth' then ~

This way, any "sudo /etc/init.d/iptables" or "sudo /sbin/iptables" action is still logged in the secure log.

Dan

thanks, worked perfectly.