LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-20-2014, 08:23 AM   #1
mojorisin
LQ Newbie
 
Registered: Aug 2012
Posts: 6

Rep: Reputation: Disabled
iptables logging not working


Hello guys,

I am having an issue with the logfile setup of iptables. I am using the following rsyslog.conf-file to save different messages to different files.

Code:
:msg, startswith, "spam_blacklist" -/var/log/spam.log
& ~

:msg, startswith, "web_blacklist" -/var/log/web.log
& ~

:msg, startswith, "ssh_blacklist" -/var/log/ssh.log
& ~

:msg, startswith, "ssh_blacklist_real" -/var/log/ssh_real.log
& ~

:msg, startswith, "drop_packet" -/var/log/drop.log
& ~
However after the last iptables update the logfile format changed and therefore it is no longer matching the rules above.

Code:
Aug 20 15:48:08 kernel: [2334361.816855] drop_packetIN=venet0 OUT= MAC= SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=57 ID=51743 DF PROTO=TCP SPT=52370 DPT=31236 WINDOW=65535 RES=0x00 SYN URGP=0 
Aug 20 15:48:10 kernel: [2334363.847831] drop_packetIN=venet0 OUT= MAC= SRC=xxx.xxx.xxx.xxx1 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=57 ID=39637 DF PROTO=TCP SPT=52370 DPT=31236 WINDOW=65535 RES=0x00 SYN URGP=0
The numbers in the [] right after the kernel are messing up my rsyslog rules. Before the update it used to be likes this:

Code:
Aug 20 15:48:08 kernel: drop_packet IN=venet0 OUT= MAC= SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=57 ID=51743 DF PROTO=TCP SPT=52370 DPT=31236 WINDOW=65535 RES=0x00 SYN URGP=0 
Aug 20 15:48:10 kernel: drop_packet IN=venet0 OUT= MAC= SRC=xxx.xxx.xxx.xxx1 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=57 ID=39637 DF PROTO=TCP SPT=52370 DPT=31236 WINDOW=65535 RES=0x00 SYN URGP=0
Is it possible to change the logformat? And if yes, where can I do this?

Last edited by mojorisin; 08-20-2014 at 10:09 AM.
 
Old 08-21-2014, 10:16 PM   #2
GaWdLy
Member
 
Registered: Feb 2013
Location: San Jose, CA
Distribution: RHEL/CentOS/Fedora
Posts: 457

Rep: Reputation: Disabled
Look at the first comment on this page: http://blog.shadypixel.com/log-iptab...-with-rsyslog/

Changing 'startswith' to 'contains' should fix you up.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables error in android: iptables-save and iptables-restore not working preetb123 Linux - Mobile 5 04-11-2011 02:56 PM
iptables logging hemi_426 Linux - Server 39 05-01-2008 06:11 AM
iptables not logging anything~ deeptii Linux - Networking 11 05-31-2006 03:35 AM
Iptables logging asterisk Linux - Networking 2 09-04-2004 01:16 AM
Iptables logging Mogwa_ Linux - Security 2 08-01-2004 03:54 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration