Re: Creating a logfile for Netfilter
Stefan Srdic <linuxbox@telusplanet.net> writes:
> Tim Haynes wrote:
>
> > FWIW, my approach: assert a log-prefix in your logging iptables rules, and
> > install syslog-ng with a regexp match to pick up your prefix (make it
> > distinctive, eg 'Catch-all: .*IN=.*OUT=' would probably be precise enough).
>
> I kinda understand what your saying, install syslog
syslog-*ng*.
> and configure it to divert logs that match my Netfilter log prefix into a
> separate file.
>
> ONly I don't quiet know how to implement this, I have installed syslog-ng
> and have read the man pages, but I cant seem to figure this one out.
Righty. My regular basic start-point for an iptables firewall is to be
found at <http://spodzone.org.uk/packages/secure/iptables.sh>. Have a look
by all means, but the Important thing to note is that I have a `drop & log'
chain with `--log-prefix="catch-all "' asserted. Your logging rules should
also assert such a distinctive beastie as well.
The syntax of /etc/syslog-ng/syslog-ng.conf is simple enough once you get
to grips with it. What the manpage might not be so clear about is that you
have 4 things to worry about:
1) a source for where to get things from:
source src { unix-stream("/dev/log"); internal(); file("/proc/kmsg"); };
2) various destinations to send things to:
destination firewall { file("/var/log/firewall.log"
owner("root") group("adm") perm(0640)); };
3) some filters to selectively match what you want:
filter f_firewall { match("catch-all .*IN=.*OUT="); };
4) a mapping such that logs coming from a source matching a filter wind
up in a given destination:
log { source(src); filter(f_firewall); destination(firewall); };
String those together (the default config file has lots of each, which
might be confusing), touch a 0-byte file /var/log/firewall.log, restart
syslog-ng, and life will be peachy. Hopefully ;8)
HTH,
~Tim
--
These are the days when you wish |piglet@stirfried.vegetable.org.uk
your bed was already made. |http://spodzone.org.uk/
Reply to: