[SOLVED] 13,661,802 instances of ...LOG_INPUT: IN=eth0 OUT= MAC=...
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I think you have to set up log files in iptables itself. messages is the default. I’ve not figured that out yet…I’m using firewalld.
Not high on my list to fix…there’s little else in messages.
You can set the log level in any rule which invokes the LOG target. From man iptables-extensions:
Code:
LOG
Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel
will print some information on all matching packets (like most IP/IPv6 header fields) via the ker‐
nel log (where it can be read with dmesg(1) or read in the syslog).
This is a "non-terminating target", i.e. rule traversal continues at the next rule. So if you
want to LOG the packets you refuse, use two separate rules with the same matching criteria, first
using target LOG then DROP (or REJECT).
--log-level level
Level of logging, which can be (system-specific) numeric or a mnemonic. Possible values
are (in decreasing order of priority): emerg, alert, crit, error, warning, notice, info or
debug.
--log-prefix prefix
Prefix log messages with the specified prefix; up to 29 letters long, and useful for dis‐
tinguishing messages in the logs.
In your example log line, '...LOG_INPUT' is probably the --log-prefix value. You can identify the origin rule by grepping for this value (see below).
Whether or not a given line is actually added to a log, and which one, is determined by the configuration of syslog on your system. As I understand it, the log level of the message as set in an iptables rule, is masked by the syslog selector to determine what actually enters the log. See man syslog.conf, SELECTORS for more details.
But it appears that you do not know what rules are sending the log messages, or why, so it would probably be informative try to find their source and determine whether you are even interested in logging them.
You might try grepping the existing rules for LOG as a starting point.
Code:
iptables -S |grep -i LOG
If your rules are using the NFLOG target instead of LOG, you will see that in the rules along with --nflog-prefix, etc., but the above still applies.
That will tell you what rules are logging and what chain they are located in. You should be able to match that with your firewall config or application to turn logging on or off, or change the log level.
I think you have to set up log files in iptables itself. messages is the default.
Yes. Each line that wants logging uses -j LOG , --log-level sets the level
Quote:
Originally Posted by astrogeek
You can set the log level in any rule which invokes the LOG target. From man iptables-extensions:...
It's in man iptables on this system. Unfortunately --log-level rejects LOCAL? arguments and rsyslog.conf doesn't honor my setting of programname=iptables to separate these entries.
log-level takes numbers. man syslog.conf, which I use on my machine, lists numbers for each level. man rsyslog.conf, though it accepts LOCAL?, doesn't list numbers.
You should set a seperate file for firewall messages. This is the (snippet) rsyslog.conf I use:
Code:
# Log anything (except mail, spooler) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;auth.none;cron.none;\
uucp.none;news.none;lpr.none /var/log/syslog
# The authpriv file has restricted access.
authpriv.*;auth.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news, uucp, and lpr (printing) messages to spooler file
uucp,news,lpr.* /var/log/spooler
# Save (usually unused) local* to main syslog
local0,local1,local2,local3,local4,local5,local6,local7.* /var/log/syslog
# Firewall (really log lev7), of the kernel (only)
kern.=debug /var/log/firewall
# Verbose output from daemons.
daemon.=debug /var/log/debug
There's no "messages". They are all messages.
Consider rate limiting your iptables log target messages so they don't flood the logs and make them unusable.
Code:
iptables -A INPUT -m set --match-set blocklist src -m limit -j LOG --log-level 7 --log-prefix "Ipset blocklist: "
iptables -A INPUT -m set --match-set blocklist src -j DROP
You should set a seperate file for firewall messages. This is the (snippet) rsyslog.conf I use...
How do you know iptables log-levels correspond to which rsyslog facilities?
Quoth man syslog.conf
Quote:
Code Facility Description
0 kern Kernel log messages
1 user User-level messages
2 mail Mail system
3 daemon General system daemons
4 auth Security/authorization messages
5 syslog Messages generated by syslogd
6 lpr Line printer subsystem
7 news Network news subsystem
8 uucp UNIX-to-UNIX copy
9 cron Clock/cron daemon (BSD, Linux)
10 authpriv Security/authorization messages (private)
11 ftp FTP daemon
12 ntp NTP subsystem
13 security Log audit
14 console Log alert
15 unused Clock/cron daemon (Solaris)
16 local0 Reserved for local/system use
17 local1 Reserved for local/system use
18 local2 Reserved for local/system use
19 local3 Reserved for local/system use
20 local4 Reserved for local/system use
21 local5 Reserved for local/system use
22 local6 Reserved for local/system use
23 local7 Reserved for local/system use
man rsyslog has no such list. When I tried to set log-level to 16 iptables objected. When I set it to 3 rsyslog didn't put its messages where I configured rsyslog.conf to send daemon's.
They probably follow /usr/include/sys/syslog.h, whether rsyslog or inetutils syslog. Sometimes I run rsyslogd, sometimes syslogd, but the messages end up in the right place no matter which is running.
It's a difference in terminology. When iptables uses log-level they refer to priority; I was referring to facility. Some other source I deal with uses level when it means facility, which confused me. I'd really like iptables to let me specify a facility so I could put all its messages in a unique log but I can't find that in the man pages.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.