Re: logging with iptables
>> On Thu, 19 Sep 2024, fxkl47BF@protonmail.com wrote:
> in my iptables i have tcp LOG flags 0 level 4 prefix "REJECT: "
> this does what i want but how to direct the logging
> it gets written to multiple file in /var/log
> syslog, messages, kern, debug
> can i restrict this to a single file
You might have better luck if you used rsyslog. I've appended the
rsyslog.conf file I used on my last Linux box. Features:
* I still use the short date format in typical syslog files -- I don't
need the full year because each logfile is linked to a dated version in
a subdirectory. This also makes log rotation vastly simpler. See the
"TEMPLATES" section:
/var/log/cron -> /var/log/YYYY/MMDD/cron
etc.
* You can weed out crap messages that fill up logs. See the "FILTERS"
section for more.
* The first entry in the "RULES" section shows how to put iptables
stuff in its own "firewall" log.
--
Karl Vogel I don't speak for anyone but myself
Photographing a volcano is just about the most miserable thing you can do.
--Robert B. Goodman, who has clearly never tried to use a PDP-10
# -------------------------------------------------------------------------
# rsyslog v5 configuration file
#
# $Revision: 1.4 $ $Date: 2020-08-31 01:07:59-04 $
# $Source: /doc/sitelog/linuxwks/vcs/etc/rsyslog.conf,v $
# $Host: linuxwks $
# $UUID: 0aac27dd-1bdd-3c91-92e8-857140e878db $
#
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# Problems? http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES =====================================================
# provides support for local system logging (e.g. via logger command)
$ModLoad imuxsock
# provides kernel logging support (previously done by rklogd)
$ModLoad imklog
# provides --MARK-- message capability
#$ModLoad immark
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#
#### GLOBAL DIRECTIVES ===========================================
# Use short timestamp format
## $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$ActionFileDefaultTemplate ShortForm
# Use high-precision timestamps and timezone information.
## $ActionFileDefaultTemplate RSYSLOG_FileFormat
# File syncing capability is disabled by default. This feature is
# usually not required, not useful and an extreme performance hit
## $ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### TEMPLATES ===================================================
$template DYNauth,"/var/log/%$YEAR%/%$MONTH%%$DAY%/secure"
$template DYNcron,"/var/log/%$YEAR%/%$MONTH%%$DAY%/cron"
$template DYNfirewall,"/var/log/%$YEAR%/%$MONTH%%$DAY%/firewall"
$template DYNkern,"/var/log/%$YEAR%/%$MONTH%%$DAY%/kernlog"
$template DYNmail,"/var/log/%$YEAR%/%$MONTH%%$DAY%/maillog"
$template DYNmessages,"/var/log/%$YEAR%/%$MONTH%%$DAY%/messages"
# This is identical to traditional format, without the hostname.
$template ShortForm,"%timegenerated% %syslogtag%%msg%\n"
#### FILTERS =====================================================
# This apparently comes from Radeon fence code in the kernel: ignore.
#:msg, contains, " armed on ring " ~
#:msg, contains, " signaled from irq context" ~
#:msg, contains, " pending" ~
#:msg, contains, "alloc_contig_range:" ~
#### RULES =======================================================
# Log iptables drops to firewall log using discard action.
if \
$syslogfacility-text == 'kern' \
and $msg contains 'Denied' \
then ?DYNfirewall
& ~
kern.* ?DYNkern
# ----------------------------------------------------------------
# Log all the mail messages in one place. Postfix stuff must be ID'd
# by looking at the message contents; this has to come before general
# processing so we can discard the message, or postfix entries are
# also logged to "messages".
if \
$msg contains 'postfix/' \
or \
$syslogfacility-text == 'mail' \
then ?DYNmail
& ~
# ----------------------------------------------------------------
# Log anything of level info or higher.
# Don't log private authentication messages!
## authpriv.none;auth.none;kern.none;cron.none;local5.none;*.info
## /var/log/messages
if \
$syslogseverity <= '6' \
and ( \
$syslogfacility-text != 'auth' \
and \
$syslogfacility-text != 'authpriv' \
and \
$syslogfacility-text != 'cron' \
and \
$syslogfacility-text != 'kern' \
and \
$syslogfacility-text != 'mail' \
) \
then ?DYNmessages
# ----------------------------------------------------------------
# The authpriv file has restricted access.
## authpriv.* /var/log/secure
## auth.* /var/log/secure
if \
$syslogseverity <= '6' \
and ( \
$syslogfacility-text == 'auth' \
or \
$syslogfacility-text == 'authpriv' \
) \
then ?DYNauth
# ----------------------------------------------------------------
# Log cron stuff
## cron.* /var/log/cron
if \
$syslogseverity <= '6' \
and \
$syslogfacility-text == 'cron' \
then ?DYNcron
# ----------------------------------------------------------------
# Everybody gets emergency messages
*.emerg *
# ----------------------------------------------------------------
# Local logs; save boot messages to boot.log
local0.* /var/log/local0log
local1.* /var/log/local1log
local2.* /var/log/local2log
local3.* /var/log/local3log
local4.* /var/log/local4log
local5.* /var/log/local5log
local6.* /var/log/local6log
local7.* /var/log/boot.log
#### EOF =========================================================
Reply to: