LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-14-2011, 08:16 AM   #1
Pacifiste95
LQ Newbie
 
Registered: Jul 2011
Posts: 5

Rep: Reputation: Disabled
Syslog-ng and iptables


Hello,

i've a problem with syslog-ng filter and iptables.

So, this is an example of my iptables log :

Code:
Jul 13 08:27:01 davis kernel: [2447090.462486] iptables RULE -16 -- ACCEPT IN= OUT=eth4 SRC=10.100.40.2 DST=224.0.0.18 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=25462 PROTO=112 
Jul 13 08:27:01 davis kernel: [2447090.462773] iptables RULE -16 -- ACCEPT IN= OUT=eth1 SRC=10.100.10.2 DST=224.0.0.18 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=25462 PROTO=112 
Jul 13 08:27:01 davis CRON[24335]: (root) CMD (cp /var/log/iptables.log /opt/log/iptables/davis/iptables.log       # exports log iptable every min)
Jul 13 08:27:02 davis kernel: [2447091.460677] iptables RULE -16 -- ACCEPT IN= OUT=eth3 SRC=10.100.30.2 DST=224.0.0.18 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=25462 PROTO=112 
Jul 13 08:27:02 davis kernel: [2447091.460866] iptables RULE -16 -- ACCEPT IN= OUT=eth2 SRC=10.100.20.2 DST=224.0.0.18 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=25462 PROTO=112
And this is my configuration in syslog-ng.conf file :

Code:
destination iptables_fw {
                        file("/var/log/archive/$R_YEAR-$R_MONTH-$R_DAY/firewall"
                        template("$HOUR:$MIN:$SEC $HOST <$FACILITY.$PRIORITY> $MSG\n")
                        template_escape(no)
                        );
};

filter f_iptables { match("RULE") 
or match("iptables"); }; 

log {
        source(local);
        filter(f_iptables);
        destination(iptables_fw);
};
I get a "firewall" file, but in this file i only get this lines :

Code:
14:50:01 davis <cron.info> CRON[28985]: (root) CMD (cp /var/log/iptables.log /opt/log/iptables/davis/iptables.log       # exports log iptable every min)
14:51:01 davis <cron.info> CRON[29018]: (root) CMD (cp /var/log/iptables.log /opt/log/iptables/davis/iptables.log       # exports log iptable every min)
14:52:01 davis <cron.info> CRON[29022]: (root) CMD (cp /var/log/iptables.log /opt/log/iptables/davis/iptables.log       # exports log iptable every min)
14:53:01 davis <cron.info> CRON[29026]: (root) CMD (cp /var/log/iptables.log /opt/log/iptables/davis/iptables.log       # exports log iptable every min)
But i don't want this, i want this type of line :

"Jul 13 08:27:01 davis kernel: [2447090.462486] iptables RULE -16 -- ACCEPT IN= OUT=eth4 SRC=10.100.40.2 DST=224.0.0.18 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=25462 PROTO=112"

What is the problem in my syslog-ng configuration?

Thanks
 
Old 07-14-2011, 08:23 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
your source of "local" is probably the place to look. What is it? it probably isn't picking up from /proc/kmsg
 
Old 07-14-2011, 08:45 AM   #3
Pacifiste95
LQ Newbie
 
Registered: Jul 2011
Posts: 5

Original Poster
Rep: Reputation: Disabled
i have an log server (ip 172.16.3.140) with this configuration :

Code:
source local {

        internal();
        unix-stream("/dev/log");
        file("/proc/kmsg" log_prefix("kernel: "));
        tcp(ip(0.0.0.0));
        udp(ip(0.0.0.0));
};

destination iptables_fw {
                        file("/var/log/archive/$R_YEAR-$R_MONTH-$R_DAY/firewall"
                        template("$HOUR:$MIN:$SEC $HOST <$FACILITY.$PRIORITY> $MSG\n")
                        template_escape(no)
                        );
};

filter f_iptables { match("RULE") 
or match("iptables"); }; 

log {
        source(local);
        filter(f_iptables);
        destination(iptables_fw);
};
And this is the configuration of my iptables server :

Code:
source local {
  unix-stream("/dev/log");
  internal();
};

destination srv_dist {
  tcp("172.16.3.140");
};

log {
  source(local);
  destination(srv_dist);
};
Thanks a lot
 
Old 07-14-2011, 09:09 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
right, so there you go. Looks like I was right.
 
Old 07-14-2011, 09:14 AM   #5
Pacifiste95
LQ Newbie
 
Registered: Jul 2011
Posts: 5

Original Poster
Rep: Reputation: Disabled
So,

in my iptables sylog-ng conf file i'll have this :

source local {
file("/proc/kmsg");
internal();
};

this i correct or not?

thanks
 
Old 07-14-2011, 09:18 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
Well I'd wonder why the client side is so basic, does it not deserve a full logging structure in the first place? But yes, like the server side, the kernel messages come from /proc/kmsg. previously klogd would monitor the kernel stuff and syslogd would deal with the userland, but they are combined on most modern syslog services.
 
Old 07-14-2011, 03:07 PM   #7
Pacifiste95
LQ Newbie
 
Registered: Jul 2011
Posts: 5

Original Poster
Rep: Reputation: Disabled
Thanks

It's okay now, i can view my iptables log on my log server.

this is my client side configuration :

Code:
filter f_iptables { match("RULE") 
and match("iptables"); };

source local {
  file("/proc/kmsg");
  internal();
};

destination srv_dist {
  tcp("172.16.3.140");
};

log {
  source(local);
  filter(f_iptables);
  destination(srv_dist);
};
And this is my server log side configuration :

Code:
source local {
        unix-stream("/dev/log");
        file("/proc/kmsg" log_prefix("kernel: "));
        tcp(ip(0.0.0.0));
        udp(ip(0.0.0.0));
};

destination iptables_fw {
                        file("/var/log/archive/$R_YEAR-$R_MONTH-$R_DAY/firewall"
                        template("$HOUR:$MIN:$SEC $HOST <$FACILITY.$PRIORITY> $MSG\n")
                        template_escape(no)
                        );
};

log {
        source(local);
        destination(iptables_fw);
};
Thanks a lot
 
Old 07-14-2011, 04:07 PM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
I'm not sure you really get what your config files are saying at all. on the server you are sending ALL TCP, UDP, local AND kernel messages into a file called "firewall"??? why would you ever want to do that? Have you really deleted everything else that was in the config files?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] iptables floods syslog neymac Slackware 2 10-21-2010 09:07 PM
[SOLVED] Iptables not logging to Syslog ultima789 Linux - Software 1 08-06-2010 03:47 AM
syslog-ng no iptables at central logserver saavik Linux - Server 0 10-20-2008 10:42 AM
Syslog and iptables, output going to console diverge LinuxQuestions.org Member Success Stories 1 12-29-2003 11:07 AM
syslog, iptables, and customizing the output JFoster Linux - General 0 11-29-2003 02:12 AM


All times are GMT -5. The time now is 04:54 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration