Syslog-ng and iptables
Hello,
i've a problem with syslog-ng filter and iptables. So, this is an example of my iptables log : Code:
Jul 13 08:27:01 davis kernel: [2447090.462486] iptables RULE -16 -- ACCEPT IN= OUT=eth4 SRC=10.100.40.2 DST=224.0.0.18 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=25462 PROTO=112 Code:
destination iptables_fw { Code:
14:50:01 davis <cron.info> CRON[28985]: (root) CMD (cp /var/log/iptables.log /opt/log/iptables/davis/iptables.log # exports log iptable every min) "Jul 13 08:27:01 davis kernel: [2447090.462486] iptables RULE -16 -- ACCEPT IN= OUT=eth4 SRC=10.100.40.2 DST=224.0.0.18 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=25462 PROTO=112" What is the problem in my syslog-ng configuration? Thanks :) :) |
your source of "local" is probably the place to look. What is it? it probably isn't picking up from /proc/kmsg
|
i have an log server (ip 172.16.3.140) with this configuration :
Code:
Code:
source local { |
right, so there you go. Looks like I was right.
|
So,
in my iptables sylog-ng conf file i'll have this : source local { file("/proc/kmsg"); internal(); }; this i correct or not? thanks |
Well I'd wonder why the client side is so basic, does it not deserve a full logging structure in the first place? But yes, like the server side, the kernel messages come from /proc/kmsg. previously klogd would monitor the kernel stuff and syslogd would deal with the userland, but they are combined on most modern syslog services.
|
Thanks :)
It's okay now, i can view my iptables log on my log server. this is my client side configuration : Code:
filter f_iptables { match("RULE") Code:
source local { |
I'm not sure you really get what your config files are saying at all. on the server you are sending ALL TCP, UDP, local AND kernel messages into a file called "firewall"??? why would you ever want to do that? Have you really deleted everything else that was in the config files?
|
All times are GMT -5. The time now is 09:53 PM. |