[Masq] Re: Logging firewall hits in a specific log file

Fri, 25 Jul 2003 19:58:36 -0700 

/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! 
/* ALSO: Don't quote this header. It makes you look lame :-) */

[EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> I would like to have those messages logged in a specific log file
> (let's say, /var/log/firewall) instead of the more general log file
> /var/log/messages (with sysklogd).

Since the firewalling is done by the Linux kernel, the messages emitted
come from the kernel.  The standard syslogd can't determine which kernel
messages are firewall messages, and which are other types of kernel
messages (such as those seen at boot time, or CD/floppy read errors,
etc).

If you configure syslogd to direct kernel messages into /var/log/firewall,
you will mostly get what you want, except there will be other kernel
messages mixed in from time to time.

There may be other syslog daemons which are capable of searching for
certain expressions in the log messages, and place those into another
file.  If you can find and use such a daemon, you could make use of the
--log-prefix option to put a special string for your daemon to
recognize and file appropriately.

Another option, the one I use, is to install and configure ulogd.  This
is a special daemon that works in tandem with the iptables "ULOG"
target.  The logs are passed through a netlink socket, instead of the
usual kernel logging method.  This allows the ulogd daemon to capture
the messages and report them in a number of fashions.  I use this config
with mine:

    nlgroup 1
    logfile /var/log/ulogd.log
    loglevel 5
    bufsize 65535
    plugin /usr/lib/ulogd/ulogd_BASE.so
    syslogfile /var/log/firewall.log
    syslogsync 1
    plugin /usr/lib/ulogd/ulogd_LOGEMU.so

And then with iptables, instead of

    iptables (...)  -j LOG --log-prefix DROP:

I use this:

    iptables (...) -j ULOG --ulog-prefix DROP:

It works for me.

Ulogd can be found at

    http://gnumonks.org/projects/project_details?p_id=1

-- 
   [EMAIL PROTECTED] (Fuzzy Fox)     || "Good judgment comes from experience.
sometimes known as David DeSimone  ||  Experience comes from bad judgment."
_______________________________________________
Masq maillist  -  [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- 
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]

PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.

Reply via email to