Quote:
what does the fp=UDP:2 and a=DROP mean ?
|
Well, that would be the log-prefix specified in the log rule...
If your rule said '--log-prefix "any arbitrary string"' then your log would look like:
Oct 24 11:12:45 68-67-253-163 kernel: any arbitrary string IN=eth0 OUT= MAC=00:01:02:5f:50:06:00:90:f8:01:58:3b:08:00 SRC=208.253.1
15.11 DST=68.67.253.163 LEN=28 TOS=0x00 PREC=0x00 TTL=41 ID=16895 PROTO=UDP SPT=12118 DPT=8723 LEN=8
It looks as though whoever wrote these LOG rules you are using used the --log-prefix to log why the packet was logged (fp=UDP:2) and what will happen to it (a=DROP)
Quote:
Maybe SyslogNG has better facilities but when I tried it some years ago it wasn't good enough.
|
I am using syslog-ng on my systems and it has an excellant filtering mechanism, which I use to filter my iptables log messages to a dedicated file, using the --log-prefix rule the OP is asking about to set a unique identifier.
So: lets say my log prefix is "Dropped and Logged". Now in syslog-ng.conf I set up a filter:
Code:
filter dropped { match("Dropped and Logged"); };
and then simply apply the filter to all messages:
Code:
log { source(src); filter(dropped); destination(droplog); };
where "src" is the previously defined source of all messages and "droplog" is the previously defined file to log the messages that pass the filter. This is just a simple example, but there are many different filtering methods which allow you to zero in on pretty much any message, and dispatch it accordingly (including sending it to /dev/null if it suits your purposes).
Combining the filter mechanism with its simple but powerful remote logging facilities really puts syslog-ng light years ahead of regular old syslog IMHO.