Using Rsyslog to redirect Shorewall messages but Shorewall is not a facility

dman777 · 01-02-2011, 10:00 AM

I want to redirect Shorewall messages to a custom /var/log/firewall. Can that configuration be done in rsyslog.conf since Shorewall is not it's own facility?

acid_kewpie · 01-02-2011, 12:01 PM

Not sure exactly where you are in what you're asking, but no shorewall can't have it's own, named, facility. You should first find out what facility it is already using, assuming it is logging to syslog and not direct to a file. If that facility is good enough, them just reference that one, e.g. local4. If it's being used for multiple services, them change shore wall to use something else.

Alternatively, you could use a different syslog service, e.g. syslog-ng which can filer on shutter attributes such as string matches in the log data, not just fac and pri.

dman777 · 01-02-2011, 01:37 PM

Code:

2011-01-02T09:45:27.537541-06:00 localhost kernel: [103213.655724] Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.1.100 DST=64.16.64.209 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53430 DF PROTO=TCP SPT=48956 DPT=3946 WINDOW=5840 RES=0x00 SYN URGP=0

Reading the shorewall documentation, it does use syslog.

If I am reading above code correctly it seems to be using the kernel facility. Is there a way I can filter out the shorewall alone and redirect it to local4?

I will read more into rsyslog filtering maybe I missed some action that I could use.

I choose rsyslog because it comes default with red hat and I am trying to get my RHCSA.