LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 05-30-2009, 03:36 AM   #1
smartyshan
LQ Newbie
 
Registered: Jun 2007
Location: Riyadh,KSA
Distribution: Redhat,Ubuntu,Solaris
Posts: 24

Rep: Reputation: 15
I want to stop these particular messages in /var/log/messages


Dear All,

More than 7 G bytes were logged to the messages file last three weeks

I got this message in /var/log/messages

I want to stop this messaging cause it takes to much space


SAMPLE:
Quote:
Apr 30 20:25:18 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:17:a4:a7:3d:a2:08:00 SRC=172.26.16.27 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:29:06 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1a:4b:a5:b8:e0:08:00 SRC=172.26.16.56 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:30:18 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:17:a4:a7:3d:a2:08:00 SRC=172.26.16.27 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:32:35 TEST-NODE kernel: IPT: OUTGOING_NOT_EST IN= OUT=eth1 SRC=172.26.12.17 DST=172.26.8.36 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56
Apr 30 20:32:35 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth1 OUT= MAC=00:17:a4:10:46:2b:00:16:ca:85:62:04:08:00 SRC=172.26.8.36 DST=172.26.12.17 LEN=76 TOS=0x00 PREC=0x00 TTL=127 ID=19082 PROTO=UDP SPT=123 DPT=123 LEN=56
Apr 30 20:34:06 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1a:4b:a5:b8:e0:08:00 SRC=172.26.16.56 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:34:11 TEST-NODE kernel: IPT: OUTGOING_NOT_EST IN= OUT=eth1 SRC=172.26.12.17 DST=172.26.8.37 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56
Apr 30 20:34:11 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth1 OUT= MAC=00:17:a4:10:46:2b:00:16:ca:86:12:04:08:00 SRC=172.26.8.37 DST=172.26.12.17 LEN=76 TOS=0x00 PREC=0x00 TTL=127 ID=17896 PROTO=UDP SPT=123 DPT=123 LEN=56
Apr 30 20:35:18 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:17:a4:a7:3d:a2:08:00 SRC=172.26.16.27 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:39:06 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1a:4b:a5:b8:e0:08:00 SRC=172.26.16.56 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:40:18 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:17:a4:a7:3d:a2:08:00 SRC=172.26.16.27 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:44:06 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1a:4b:a5:b8:e0:08:00 SRC=172.26.16.56 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:45:18 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:17:a4:a7:3d:a2:08:00 SRC=172.26.16.27 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:49:06 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1a:4b:a5:b8:e0:08:00 SRC=172.26.16.56 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:49:39 TEST-NODE kernel: IPT: OUTGOING_NOT_EST IN= OUT=eth1 SRC=172.26.12.17 DST=172.26.8.36 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56
Apr 30 20:49:39 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth1 OUT= MAC=00:17:a4:10:46:2b:00:16:ca:85:62:04:08:00 SRC=172.26.8.36 DST=172.26.12.17 LEN=76 TOS=0x00 PREC=0x00 TTL=127 ID=9615 PROTO=UDP SPT=123 DPT=123 LEN=56
Apr 30 20:50:18 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:17:a4:a7:3d:3d:08:00 SRC=172.26.16.27 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:51:18 TEST-NODE kernel: IPT: OUTGOING_NOT_EST IN= OUT=eth1 SRC=172.26.12.17 DST=172.26.8.37 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56
Apr 30 20:51:18 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:00:1d:4b:c5:b8:e0:86:12:04:08:00 SRC=172.26.8.37 DST=172.26.12.17 LEN=76 TOS=0x00 PREC=0x00 TTL=127 ID=4395 PROTO=UDP SPT=123 DPT=123 LEN=56
Apr 30 20:54:06 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:00:1d:4b:c5:b8:e0:08:00 SRC=172.26.16.56 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:55:18 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:00:1d:4b:c5:b8:e0:08:00 SRC=172.26.16.27 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
Apr 30 20:59:06 TEST-NODE kernel: IPT: IN_NOMATCH IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:00:1d:4b:c5:b8:e0:08:00 SRC=172.26.16.56 DST=172.26.16.255 LEN=104 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10100 DPT=10100 LEN=84
 
Old 05-30-2009, 03:54 AM   #2
colucix
Moderator
 
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,509

Rep: Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957
These are messages from the firewall (iptables). You can disable them editing the iptables rules, but I suggest to keep them in their own log file (e.g. /var/log/firewall) and establish a custom rule of logrotate to cycle them more often. See man syslog.conf and man logrotate for details.
 
Old 05-30-2009, 05:29 AM   #3
smartyshan
LQ Newbie
 
Registered: Jun 2007
Location: Riyadh,KSA
Distribution: Redhat,Ubuntu,Solaris
Posts: 24

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by colucix View Post
These are messages from the firewall (iptables). You can disable them editing the iptables rules, but I suggest to keep them in their own log file (e.g. /var/log/firewall) and establish a custom rule of logrotate to cycle them more often. See man syslog.conf and man logrotate for details.
Dear Cloucix thanks for the hint, can we find some exceptions with the help of that we get rid of these messages?
 
Old 05-30-2009, 05:40 AM   #4
repo
LQ 5k Club
 
Registered: May 2001
Location: Belgium
Distribution: Linux Mint
Posts: 8,516

Rep: Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896
Quote:
can we find some exceptions with the help of that we get rid of these messages?
As told before, disable logging in the firewall itself.
 
Old 05-30-2009, 07:28 AM   #5
smartyshan
LQ Newbie
 
Registered: Jun 2007
Location: Riyadh,KSA
Distribution: Redhat,Ubuntu,Solaris
Posts: 24

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by repo View Post
As told before, disable logging in the firewall itself.
Yes u r rite, But disabling is not an option,

What rule i should make to monitor traffic only from particular IPs and ignore all other
becoz all other IPs' logs are useless for me but filtering some pf IPs are necessary and we also want there logs
 
Old 05-30-2009, 08:06 PM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Disabling the firewall's logging is overkill. It looks like it's mainly UDP packets for ports 123 and 10100 that are causing the excessive logging. You could insert some ACCEPT and/or DROP rules matching those packets at the top of the chains. That would put an end to this, and it lets you be very specific as to which packets you don't want to log. For example, if you want to disable logging only for locally generated UDP packets with destination port 123 on them which exit on eth1, you could execute either a:
Code:
iptables -I OUTPUT -p UDP -o eth1 --dport 123 -j ACCEPT
Or a:
Code:
iptables -I OUTPUT -p UDP -o eth1 --dport 123 -j DROP
...depending on whether you want to allow or deny the packet. Either command would prevent the packet from reaching whatever LOG rule it's currently hitting, and you can easily add more matches such as destination IP, for example.

Last edited by win32sux; 05-30-2009 at 08:18 PM.
 
Old 05-31-2009, 02:23 AM   #7
smartyshan
LQ Newbie
 
Registered: Jun 2007
Location: Riyadh,KSA
Distribution: Redhat,Ubuntu,Solaris
Posts: 24

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by win32sux View Post
Disabling the firewall's logging is overkill. It looks like it's mainly UDP packets for ports 123 and 10100 that are causing the excessive logging. You could insert some ACCEPT and/or DROP rules matching those packets at the top of the chains. That would put an end to this, and it lets you be very specific as to which packets you don't want to log. For example, if you want to disable logging only for locally generated UDP packets with destination port 123 on them which exit on eth1, you could execute either a:
Code:
iptables -I OUTPUT -p UDP -o eth1 --dport 123 -j ACCEPT
Or a:
Code:
iptables -I OUTPUT -p UDP -o eth1 --dport 123 -j DROP
...depending on whether you want to allow or deny the packet. Either command would prevent the packet from reaching whatever LOG rule it's currently hitting, and you can easily add more matches such as destination IP, for example.
Thnx alot Win32sux... its very much clear to me now,

But kindly tell me also if i really want to exclude an IPs [172.26.16.16] and [172.26.16.28] from monitoring and/or logging, what should be the rule for this?
 
Old 05-31-2009, 03:41 AM   #8
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by smartyshan View Post
Thnx alot Win32sux... its very much clear to me now,

But kindly tell me also if i really want to exclude an IPs [172.26.16.16] and [172.26.16.28] from monitoring and/or logging, what should be the rule for this?
It depends. Ideally, you'd want to create an exception right before the rule which currently sends the packet to the logging chain. This new rule would either ACCEPT/DROP/REJECT the packet, or send it to another chain which is set up differently than the logging one. That said, inserting a rule at the top of the chain would work just fine, and it would go like:
Code:
iptables -I INPUT -i eth1 -s 172.26.16.16 -j ACCEPT
iptables -I INPUT -i eth1 -s 172.26.16.28 -j ACCEPT
Change the target from ACCEPT to DROP if your objective is to filter packets with those source IPs.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
sym0:4:0 messages in /var/log/messages smallbook Linux - Newbie 0 02-20-2008 08:35 PM
Sysstat drops a message in /var/log/messages every 10 minutes... how to stop this? zan_messengrr Linux - General 2 11-15-2006 10:40 AM
Redirecting the kernel messages to file other than /var/log/messages jyotika_b83 Linux - General 3 04-28-2005 07:39 PM
From where am i getting error messages to /var/log/messages? prabhuacsp Programming 3 02-16-2005 09:59 AM
/var/log/messages full of these messages. Should I be concerned? mdavis Linux - Security 5 04-16-2004 11:08 AM


All times are GMT -5. The time now is 10:31 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration