Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
# /etc/syslog.conf
# For info about the format of this file, see "man syslog.conf"
# and /usr/doc/sysklogd/README.linux. Note the '-' prefixing some
# of these entries; this omits syncing the file after every logging.
# In the event of a crash, some log information might be lost, so
# if this is a concern to you then you might want to remove the '-'.
# Be advised this will cause a performation loss if you're using
# programs that do heavy logging.
# Uncomment this to see kernel messages on the console.
#kern.* /dev/console
*192.168.1.1* -/var/log/router
# Log anything 'info' or higher, but lower than 'warn'.
# Exclude authpriv, cron, mail, and news. These are logged elsewhere.
*.info;*.!warn;\
authpriv.none;cron.none;mail.none;news.none -/var/log/messages
# Log anything 'warn' or higher.
# Exclude authpriv, cron, mail, and news. These are logged elsewhere.
*.warn;\
authpriv.none;cron.none;mail.none;news.none -/var/log/syslog
# Debugging information is logged here.
*.=debug -/var/log/debug
# Private authentication message logging:
authpriv.* -/var/log/secure
# Cron related logs:
cron.* -/var/log/cron
# Mail related logs:
mail.* -/var/log/maillog
# Emergency level messages go to all users:
*.emerg *
# This log is for news and uucp errors:
uucp,news.crit -/var/log/spooler
# Uncomment these if you'd like INN to keep logs on everything.
# You won't need this if you don't run INN (the InterNetNews daemon).
#news.=crit -/var/log/news/news.crit
#news.=err -/var/log/news/news.err
#news.notice -/var/log/news/news.notice
I'm a little confused as to your exact configuration. It sounds like your router is running on 192.168.1.1 and is logging remotely to some other machine? If that is the case, you will need to post your /etc/syslog.conf files for *both* machines.
If however, you are simply trying to log iptables violations to a different file on the same box, you need to remove the line you added and add the following to your /etc/syslog.conf:
Code:
kern.=warn /var/log/router
then restart the syslog daemon:
Code:
/etc/init.d/syslog restart
for the changes to take effect. As long as you don't change anything else in the syslog.conf, all iptables violations will still be logged to /var/log/messages as well as /var/log/router.
I'm a little confused as to your exact configuration. It sounds like your router is running on 192.168.1.1 and is logging remotely to some other machine? If that is the case, you will need to post your /etc/syslog.conf files for *both* machines.
If however, you are simply trying to log iptables violations to a different file on the same box, you need to remove the line you added and add the following to your /etc/syslog.conf:
Code:
kern.=warn /var/log/router
then restart the syslog daemon:
Code:
/etc/init.d/syslog restart
for the changes to take effect. As long as you don't change anything else in the syslog.conf, all iptables violations will still be logged to /var/log/messages as well as /var/log/router.
My router is a Linksys WRT54G which runs Linux out-of-the-box. I set it to log to my slackware box and started up syslog with -r switch (allows remote logging).
I don't think your line would work because what if my Slackware's kernel sends out a warning? It will be logged in router, and not syslog. I think I need a line that tells syslogd. Here is a crude example in a script type language I just made up in my head...
If kern.warn is_from 192.168.1.1
then { write /var/log/router }
else { write /var/log/syslog }
Any logs from 192.168.1.1 (Linksys router) I would like to send to a separate log called "/var/log/router" and not have logged in syslog. I know that there are other log daemons that could do this better but I don't feel I need to switch because the packaged one can handle this just fine as soon as I figure out how to configure it for it.
I've wasted too much time on this problem. I don't feel like wasting any more on installing and configuring a new syslogd. Router traffic info is just a novelty, its not that important.
I don't understand why I can't forward lines matching 192.168.1.1 to one file and one file only.
I honestly don't understand what you want except to confirm this is a stalemate... You said
Quote:
"I know that there are other log daemons that could do this better but I don't feel I need to switch (..)
and I said it's not gonna work that way with the default syslogd daemon: you'll need syslog-ng to have extended filtering capabilities or for example prefix your rulenames and use a logreporting tool/script to extract the lines.
At the time syslogd didn't need all that functionality. I could have used filtering myself, but at the time syslog-ng wasnt production system ready, so just went with extracting the data I need. BTW, you'll can also see some examples why "more functionality" doesn't necessarily equal "better" or "more secure" if you google for "complexity is the enemy of security".
What you see there is a syslog that is accepting remote logs from another machine for approximately 36 hours. In that amount of time my syslog has increased by 30 times it's original size and it's still going! Furthermore, how am I supposed to see any important information about my systems if all of the data is iptables traffic? What about failed ssh attempts, sudo commands, etc?
I don't need features. What I need is a way for my syslog not to get flooded with iptables traffic
With limited resources you got and not wanting to switch sysloggers I can only come up with this: I. limit the amount of logged data from your WRTG by only logging critical errors, maybe even limit messages per/second. II. Test if priority n when using "-j LOG --log-level n" survives remote logging. If it does you could assign a priority way below the facility.priority threshold for /var/log/messages, like "debug". If that works only 192.168.1.1.debug should end up in /var/log/router. If that works you should disable your debug logging though. Haven't tested the above, so YMMV(VM).
What you see there is a syslog that is accepting remote logs from another machine for approximately 36 hours. In that amount of time my syslog has increased by 30 times it's original size and it's still going!
I use Monit to check logsize and trigger a logrotate when size > 1GB :-]
Furthermore, how am I supposed to see any important information about my systems if all of the data is iptables traffic?What about failed ssh attempts, sudo commands, etc?
For SSH and the like you could apply host/login restrictions and install a blocking tool so you have to worry less about that. Sudo errors can be emailed to root. If you like consolidated reports you could use a logreporting tool. There's even some that check continuously and can perform actions when they encounter an anomaly.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.