[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Logging IPTables to file using syslogd

Diyan Christian <sauron@lug.stikom.edu> writes:

> (Wednesday 19 June 2002 12:25 pm) Pyuesh Daya wrote:
>> I have an iptables firewall, and i am looking at logging on the firewall logs into the seperate file using syslogd, at present moment, it is being logged to the messages file and and file call firewall.  My syslod.conf file is as follows : 
>> kern.*                          -/var/log/firewall
> by default iptables LOG will log into kern.warning, you can simply put:
> kern.warning	/var/log/iptables.log
> there is a --log-level <level> parameters on the iptables that you can selectively selec the
> level for syslog output (I suggest alert)
>> How do I change this so the logging is done to seperate files.

One tried and true way is to run syslog into a named pipe.  I like to
run everthing into a fifo, then one can filter as you please.

At the end of /etc/syslog.conf
*.*                                          |/var/adm/sys_fifo

Where /var/adm/sys_fifo was created with the mkfifo appliance
 (man mkfifo)

Once syslog is restarted it will print everything to  that named pipe.
(That is in addition to normal logging to /var/log/messages etc.)

However nothing accumulates in a file unless you put a listener in
the pipe.  That would be a script of your own making that catches what
ever you want caught.  You'll see things in iptables log output that
is unique or you can set something yourself with the iptalbes flags.

To get an idea of how this works, you could put the above line in
syslog.conf  then `kill -HUP (syslogd process id)' or on redhat:
`service syslog restart'

Then say  `cat /var/adm/sys_fifo'  in a new  xterm (as root).   As the
system runs along you should  see all syslog output there.  so replace
`cat' with `grep  'REGEX' /var/adm/sys_fifo > my_log' to  catch what you
want, or of course, a more elaborate script.
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.

[Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Video for Linux]     [Bugtraq]     [USB]     [Fedora Security]

Add to Google Powered by Linux