Stefan Srdic <[EMAIL PROTECTED]> writes: > Tim Haynes wrote: > > > FWIW, my approach: assert a log-prefix in your logging iptables rules, and > > install syslog-ng with a regexp match to pick up your prefix (make it > > distinctive, eg 'Catch-all: .*IN=.*OUT=' would probably be precise enough). > > I kinda understand what your saying, install syslog
syslog-*ng*. > and configure it to divert logs that match my Netfilter log prefix into a > separate file. > > ONly I don't quiet know how to implement this, I have installed syslog-ng > and have read the man pages, but I cant seem to figure this one out. Righty. My regular basic start-point for an iptables firewall is to be found at <http://spodzone.org.uk/packages/secure/iptables.sh>. Have a look by all means, but the Important thing to note is that I have a `drop & log' chain with `--log-prefix="catch-all "' asserted. Your logging rules should also assert such a distinctive beastie as well. The syntax of /etc/syslog-ng/syslog-ng.conf is simple enough once you get to grips with it. What the manpage might not be so clear about is that you have 4 things to worry about: 1) a source for where to get things from: source src { unix-stream("/dev/log"); internal(); file("/proc/kmsg"); }; 2) various destinations to send things to: destination firewall { file("/var/log/firewall.log" owner("root") group("adm") perm(0640)); }; 3) some filters to selectively match what you want: filter f_firewall { match("catch-all .*IN=.*OUT="); }; 4) a mapping such that logs coming from a source matching a filter wind up in a given destination: log { source(src); filter(f_firewall); destination(firewall); }; String those together (the default config file has lots of each, which might be confusing), touch a 0-byte file /var/log/firewall.log, restart syslog-ng, and life will be peachy. Hopefully ;8) HTH, ~Tim -- These are the days when you wish |[EMAIL PROTECTED] your bed was already made. |http://spodzone.org.uk/
