LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Syslog-ng and iptables (https://www.linuxquestions.org/questions/linux-newbie-8/syslog-ng-and-iptables-891686/)

Pacifiste95 07-14-2011 07:16 AM
Syslog-ng and iptables
 
Hello,

i've a problem with syslog-ng filter and iptables.

So, this is an example of my iptables log :

Code:
Jul 13 08:27:01 davis kernel: [2447090.462486] iptables RULE -16 -- ACCEPT IN= OUT=eth4 SRC=10.100.40.2 DST=224.0.0.18 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=25462 PROTO=112
Jul 13 08:27:01 davis kernel: [2447090.462773] iptables RULE -16 -- ACCEPT IN= OUT=eth1 SRC=10.100.10.2 DST=224.0.0.18 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=25462 PROTO=112
Jul 13 08:27:01 davis CRON[24335]: (root) CMD (cp /var/log/iptables.log /opt/log/iptables/davis/iptables.log      # exports log iptable every min)
Jul 13 08:27:02 davis kernel: [2447091.460677] iptables RULE -16 -- ACCEPT IN= OUT=eth3 SRC=10.100.30.2 DST=224.0.0.18 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=25462 PROTO=112
Jul 13 08:27:02 davis kernel: [2447091.460866] iptables RULE -16 -- ACCEPT IN= OUT=eth2 SRC=10.100.20.2 DST=224.0.0.18 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=25462 PROTO=112
And this is my configuration in syslog-ng.conf file :

Code:
destination iptables_fw {
                        file("/var/log/archive/$R_YEAR-$R_MONTH-$R_DAY/firewall"
                        template("$HOUR:$MIN:$SEC $HOST <$FACILITY.$PRIORITY> $MSG\n")
                        template_escape(no)
                        );
};

filter f_iptables { match("RULE")
or match("iptables"); };

log {
        source(local);
        filter(f_iptables);
        destination(iptables_fw);
};
I get a "firewall" file, but in this file i only get this lines :

Code:
14:50:01 davis <cron.info> CRON[28985]: (root) CMD (cp /var/log/iptables.log /opt/log/iptables/davis/iptables.log      # exports log iptable every min)
14:51:01 davis <cron.info> CRON[29018]: (root) CMD (cp /var/log/iptables.log /opt/log/iptables/davis/iptables.log      # exports log iptable every min)
14:52:01 davis <cron.info> CRON[29022]: (root) CMD (cp /var/log/iptables.log /opt/log/iptables/davis/iptables.log      # exports log iptable every min)
14:53:01 davis <cron.info> CRON[29026]: (root) CMD (cp /var/log/iptables.log /opt/log/iptables/davis/iptables.log      # exports log iptable every min)
But i don't want this, i want this type of line :

"Jul 13 08:27:01 davis kernel: [2447090.462486] iptables RULE -16 -- ACCEPT IN= OUT=eth4 SRC=10.100.40.2 DST=224.0.0.18 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=25462 PROTO=112"

What is the problem in my syslog-ng configuration?

Thanks :) :)

acid_kewpie 07-14-2011 07:23 AM
your source of "local" is probably the place to look. What is it? it probably isn't picking up from /proc/kmsg

Pacifiste95 07-14-2011 07:45 AM
i have an log server (ip 172.16.3.140) with this configuration :

Code:

source local {

        internal();
        unix-stream("/dev/log");
        file("/proc/kmsg" log_prefix("kernel: "));
        tcp(ip(0.0.0.0));
        udp(ip(0.0.0.0));
};

destination iptables_fw {
                        file("/var/log/archive/$R_YEAR-$R_MONTH-$R_DAY/firewall"
                        template("$HOUR:$MIN:$SEC $HOST <$FACILITY.$PRIORITY> $MSG\n")
                        template_escape(no)
                        );
};

filter f_iptables { match("RULE")
or match("iptables"); };

log {
        source(local);
        filter(f_iptables);
        destination(iptables_fw);
};
And this is the configuration of my iptables server :

Code:
source local {
  unix-stream("/dev/log");
  internal();
};

destination srv_dist {
  tcp("172.16.3.140");
};

log {
  source(local);
  destination(srv_dist);
};
Thanks a lot :)

acid_kewpie 07-14-2011 08:09 AM
right, so there you go. Looks like I was right.

Pacifiste95 07-14-2011 08:14 AM
So,

in my iptables sylog-ng conf file i'll have this :

source local {
file("/proc/kmsg");
internal();
};

this i correct or not?

thanks

acid_kewpie 07-14-2011 08:18 AM
Well I'd wonder why the client side is so basic, does it not deserve a full logging structure in the first place? But yes, like the server side, the kernel messages come from /proc/kmsg. previously klogd would monitor the kernel stuff and syslogd would deal with the userland, but they are combined on most modern syslog services.

Pacifiste95 07-14-2011 02:07 PM
Thanks :)

It's okay now, i can view my iptables log on my log server.

this is my client side configuration :

Code:
filter f_iptables { match("RULE")
and match("iptables"); };

source local {
  file("/proc/kmsg");
  internal();
};

destination srv_dist {
  tcp("172.16.3.140");
};

log {
  source(local);
  filter(f_iptables);
  destination(srv_dist);
};
And this is my server log side configuration :

Code:
source local {
        unix-stream("/dev/log");
        file("/proc/kmsg" log_prefix("kernel: "));
        tcp(ip(0.0.0.0));
        udp(ip(0.0.0.0));
};

destination iptables_fw {
                        file("/var/log/archive/$R_YEAR-$R_MONTH-$R_DAY/firewall"
                        template("$HOUR:$MIN:$SEC $HOST <$FACILITY.$PRIORITY> $MSG\n")
                        template_escape(no)
                        );
};

log {
        source(local);
        destination(iptables_fw);
};
Thanks a lot :)

acid_kewpie 07-14-2011 03:07 PM
I'm not sure you really get what your config files are saying at all. on the server you are sending ALL TCP, UDP, local AND kernel messages into a file called "firewall"??? why would you ever want to do that? Have you really deleted everything else that was in the config files?


All times are GMT -5. The time now is 09:53 PM.