Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
11-01-2005, 10:03 AM
|
#1
|
Member
Registered: May 2001
Location: Canada
Distribution: old ones
Posts: 555
Rep:
|
Help me regain control of my server logs! (squid logging)
Hi there
This has been frustrating me for a while so I hope someone can help. I have a Mandrake machine kernel 2.4.18
I realise that In order to keep track of what is happening on your machine you need to review dmesg, /var/log/messages and /var/log/syslog.
However I use [edit] iptables [/edit] on this server, and I set the log level pretty high so I can keep tabs on my network and Internet usage.
Unfortunately, [edit] iptables [/edit] uses the system logs for logging, rendering them unusable for system administration. Here's an example of what "tail /var/log/messages" looks like:
Code:
[root@MDKSERV log]# tail /var/log/messages
Nov 1 11:02:13 MDKSERV kernel: passed IN=eth1 OUT= MAC=00:09:6b:63:15:4f:00:11:25:ab:73:f4:08:00 SRC=192.168.1.130 DST=192.168.1.1 LEN=92 TOS=0x00 PREC=0x00 TTL=128 ID=41065 DF PROTO=TCP SPT=2067 DPT=22 WINDOW=17436 RES=0x00 ACK PSH URGP=0
Nov 1 11:02:13 MDKSERV kernel: passed IN= OUT=eth1 SRC=192.168.1.1 DST=192.168.1.130 LEN=124 TOS=0x10 PREC=0x00 TTL=64 ID=61338 PROTO=TCP SPT=22 DPT=2067 WINDOW=8576 RES=0x00 ACK PSH URGP=0
Nov 1 11:02:13 MDKSERV kernel: passed IN=eth1 OUT= MAC=00:09:6b:63:15:4f:00:11:25:ab:73:f4:08:00 SRC=192.168.1.130 DST=192.168.1.1 LEN=92 TOS=0x00 PREC=0x00 TTL=128 ID=41066 DF PROTO=TCP SPT=2067 DPT=22 WINDOW=17352 RES=0x00 ACK PSH URGP=0
Nov 1 11:02:13 MDKSERV kernel: passed IN= OUT=eth1 SRC=192.168.1.1 DST=192.168.1.130 LEN=124 TOS=0x10 PREC=0x00 TTL=64 ID=35697 PROTO=TCP SPT=22 DPT=2067 WINDOW=8576 RES=0x00 ACK PSH URGP=0
Nov 1 11:02:13 MDKSERV kernel: passed IN=eth1 OUT= MAC=00:09:6b:63:15:4f:00:11:25:ab:73:f4:08:00 SRC=192.168.1.130 DST=192.168.1.1 LEN=92 TOS=0x00 PREC=0x00 TTL=128 ID=41067 DF PROTO=TCP SPT=2067 DPT=22 WINDOW=17268 RES=0x00 ACK PSH URGP=0
Nov 1 11:02:13 MDKSERV kernel: passed IN= OUT=eth1 SRC=192.168.1.1 DST=192.168.1.130 LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=24 PROTO=TCP SPT=22 DPT=2067 WINDOW=8576 RES=0x00 ACK URGP=0
Nov 1 11:02:13 MDKSERV kernel: passed IN=eth1 OUT= MAC=00:09:6b:63:15:4f:00:11:25:ab:73:f4:08:00 SRC=192.168.1.130 DST=192.168.1.1 LEN=92 TOS=0x00 PREC=0x00 TTL=128 ID=41068 DF PROTO=TCP SPT=2067 DPT=22 WINDOW=17268 RES=0x00 ACK PSH URGP=0
Nov 1 11:02:13 MDKSERV kernel: passed IN= OUT=eth1 SRC=192.168.1.1 DST=192.168.1.130 LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=22 DPT=2067 WINDOW=8576 RES=0x00 ACK URGP=0
Nov 1 11:02:13 MDKSERV kernel: passed IN= OUT=eth1 SRC=192.168.1.1 DST=192.168.1.130 LEN=124 TOS=0x10 PREC=0x00 TTL=64 ID=26991 PROTO=TCP SPT=22 DPT=2067 WINDOW=8576 RES=0x00 ACK PSH URGP=0
Nov 1 11:02:13 MDKSERV kernel: passed IN=eth1 OUT= MAC=00:09:6b:63:15:4f:00:11:25:ab:73:f4:08:00 SRC=192.168.1.130 DST=192.168.1.1 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=41069 DF PROTO=TCP SPT=2067 DPT=22 WINDOW=17184 RES=0x00 ACK URGP=0
This is also what my dmesg output is. What I'd really like to know about is SSH sessions, boot messages, and other things.
How can I separate these two logs, iptables and kernel???? I want my system messages back.
Thanks!
Last edited by Avatar; 11-01-2005 at 10:37 AM.
|
|
|
11-01-2005, 04:17 PM
|
#2
|
Senior Member
Registered: Jan 2002
Location: St Louis, MO
Distribution: Ubuntu
Posts: 1,284
Rep:
|
Try looking at ulogd which is a separate daemon able to handle the logging of firewall rules separate from syslog. It also lets you manipulate the data a little more, though I've never actually used it myself.
|
|
|
11-01-2005, 09:21 PM
|
#3
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
You may also want to try a log parser like logwatch or sawmill.
|
|
|
11-02-2005, 10:52 AM
|
#4
|
Member
Registered: May 2001
Location: Canada
Distribution: old ones
Posts: 555
Original Poster
Rep:
|
Well I have a log parser that allows me to examine my internet usage data, but what I want is to be able to type "dmesg" and NOT have all that stuff come up. There are NO system messages in dmesg unless, you type it IMMEDIATELY and I mean immediately after bootup, before the network traffic gets going.
Unfortunately I'm not a linux "guru." I looked at ulogd but I didn't really understand it's purpose.
Right now my IPTABLES rules have this:
Code:
-j LOG --log-level warning --log-prefix "passed "
-j LOG --log-level info --log-prefix "dropped "
The first line is for ACCEPT and the second for DROP.
Is there a way to tell iptables to LOG somewhere else, but still compress and gzip the logs every day like it's doing now?
|
|
|
11-02-2005, 04:59 PM
|
#5
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
In that case, you'll likely need a specialized logging daemon. The standard syslog doesn't really support complex logging like that and really the only way to do it is to have a script parse the log file and pull out the iptables log mesgs. It usually is kind of an ugly hack, so using a specialized logging utility (like ulogd or syslog-ng) is a better solution. Syslog-ng is basically a robust version of the normal system logger, while ulogd interfaces more directly with iptables by using the iptables ULOG target (instead of LOG) which hands the iptables log mesgs over to a set of userland utilities that process them instead of the normal kernel and system logging facility.
|
|
|
11-03-2005, 11:20 AM
|
#6
|
Member
Registered: May 2001
Location: Canada
Distribution: old ones
Posts: 555
Original Poster
Rep:
|
Hi, it sounds like ULOGd is what I'm looking for.
But I didn't really understand its website very much. Would all I have to do is install it, then change my IPTABLES to read ULOG whereever it says LOG?
If it's not that easy, do you know of any user manuals or howtos for it.
Thanks!
|
|
|
11-03-2005, 12:58 PM
|
#7
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Dunno. Never actually used ulogd either. I'd start by taking a look at the README though
|
|
|
11-03-2005, 02:22 PM
|
#8
|
Member
Registered: May 2001
Location: Canada
Distribution: old ones
Posts: 555
Original Poster
Rep:
|
Thanks for your help
|
|
|
11-03-2005, 07:54 PM
|
#9
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Sure, if you have any specific problems with the installation, let us know.
|
|
|
All times are GMT -5. The time now is 01:43 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|