[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables log target logs everything to tty*. Why?

Derek Martin wrote:
On Sat, Jun 24, 2006 at 12:58:42AM +0200, Erik Persson wrote:
I tried with klogd -c 0 but the messages just kept on coming. It seems that the minimal allowed log level for kernel messages was set to 4 on the router and klogd -c 0 thus didn't change the kernel log level as I thought. This solves the problem since I now know what caused it. I will probably change the iptables log level to debug to get rid of the messages.

Did you restart klogd?  I don't believe it will change unless you stop
the old running klogd and restart it.  If you didn't stop the
previously running one, the new one you started won't do anything,
except exit with an error message, "Already running."

I killed klogd, and afterwards a checked if it was running, and it was not.
(the messages kept on coming even after I killed klogd but I guess it is the kernel that prints the messages). I didn't see any error messages when restarting klogd wiht -c 0 but it could have been because I restarted klgod with "/etc/init.d/klogd start" (after editingas to start it with -c 0).

Anyway, doing all from the command line shows were the probable problem lies:
root@shere:~# ps axu | grep klogd
root     10539  0.0  0.1  4148 1980 ?        Ss   Jun22   0:05 /sbin/klogd
root     26387  0.0  0.0  2984  612 pts/0    S+   12:38   0:00 grep klogd

root@shere:~# cat /proc/sys/kernel/printk
7       4       1       7

root@shere:~# kill 10539
root@shere:~# ps axu | grep klogd

root@shere:~# klogd -c 0
klogd: Invalid console logging level <0> specified.

root@shere:~# ps axu | grep klogd

root@shere:~# klogd -c 3

root@shere:~# ps axu | grep klogd
root     26401  1.5  0.1  4148 1976 ?        Ss   12:40   0:00 klogd -c 3

root@shere:~# cat /proc/sys/kernel/printk
3       4       1       7

man proc reveals that the 1 is the lowest value that console log level may be set to. Thats the reson, I guess, that klogd -c 0 did fail.

There might be a slightly easier way...
The dmesg command, in addition to dumping the kernel's message buffer
to the screen, can set the maximum priority (number) of messages which
get logged to the console.  For example:

  dmesg -n 1

This would do the same thing as klogd -c 1 I guess.

This will log only panic messages to the console.  IIRC the default
level of iptables messages is 5 (warn), so this will prevent the
messages from being printed to the console.  You can add it to your
init scripts somewhere, or your script for starting your iptables

As I didn't know there was a minimum allowed log level everything just seemed strange at first and I didn't get why the messages just kept on coming even though I killed of syslogd, klogd and restarted klogd with klogd -c 0. I thought that there was an other process or system responsible for printing the messages to the console, but I couldn't find any.

But know I know the reason, so the problem is solved. I know what caused the problem and I know some possible ways to get rid of them.
The best way seems to be to change the log level of the iptables logs!

If you want to receive kernel messages on the console for priorities
higher than warn, you should be able to use up to dmesg -n 4 and still
eliminate the messages from being printed.  In practice, I find that
having the messages logged to syslog is enough, so logging only
critical messages works out fine.

Thanks for the help!


Reply to: