Hi,
We are trying to track some specific rules using LOG as target. Everything is working well but the problem is that iptables is flooding the console with LOG messages. We tried --log level 4 on iptables rules but it didn't work. We fixed the problem changing KLOGD_OPTIONS value in /etc/sysconfig/syslog to: KLOG_OPTIONS="-c 4"
Is it the best option or we are missing something?
Thanks in advance
On Wed, 20 Jul 2011, cbulist@gmail.com wrote:
To: centos@centos.org From: "cbulist@gmail.com" cbulist@gmail.com Subject: [CentOS] Iptables - flooding console
Hi,
We are trying to track some specific rules using LOG as target. Everything is working well but the problem is that iptables is flooding the console with LOG messages. We tried --log level 4 on iptables rules but it didn't work. We fixed the problem changing KLOGD_OPTIONS value in /etc/sysconfig/syslog to: KLOG_OPTIONS="-c 4"
Is it the best option or we are missing something?
Thanks in advance
I had this problem as well. The firewall logs were being sent (tailed/tee'd ?) to the console, which is a pain if you are using mc or any other console application.
To fix it on Centos 5.5/6 I just added the following to the top of the /etc/syslog.conf file.
Deleted these lines as not in use:
# Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console
Replaced with: # Log all firewall messages to a file. kern.=debug /var/log/firewall-log
Obviously you need to make sure the firewall log file exists
-rw-r--r-- keith users 39039 Jul 20 15:24 firewall-log
Kind Regards,
Keith Roberts ----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------
On 7/20/2011 10:18 AM, Keith Roberts wrote:
On Wed, 20 Jul 2011, cbulist@gmail.com wrote:
To: centos@centos.org From: "cbulist@gmail.com"cbulist@gmail.com Subject: [CentOS] Iptables - flooding console
Hi,
We are trying to track some specific rules using LOG as target. Everything is working well but the problem is that iptables is flooding the console with LOG messages. We tried --log level 4 on iptables rules but it didn't work. We fixed the problem changing KLOGD_OPTIONS value in /etc/sysconfig/syslog to: KLOG_OPTIONS="-c 4"
Is it the best option or we are missing something?
Thanks in advance
I had this problem as well. The firewall logs were being sent (tailed/tee'd ?) to the console, which is a pain if you are using mc or any other console application.
To fix it on Centos 5.5/6 I just added the following to the top of the /etc/syslog.conf file.
Deleted these lines as not in use:
# Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console
Replaced with: # Log all firewall messages to a file. kern.=debug /var/log/firewall-log
Obviously you need to make sure the firewall log file exists
-rw-r--r-- keith users 39039 Jul 20 15:24 firewall-log
Kind Regards,
Thanks Keith,
I tried your solution but it didn't work. (man 8 syslogd describes what you said) First I returned the default value on KLOG_OPTIONS, I restarted the syslog service but the iptables still continuous sending the log to console. I forget mention the info system:
CentOS 5.6
[root@server_56 ~]# uname -r 2.6.18-238.el5 [root@server_56 ~]# iptables -V iptables v1.3.5
Sincerely,
Julio
On Wed, Jul 20, 2011 at 9:40 AM, cbulist@gmail.com cbulist@gmail.comwrote:
On 7/20/2011 10:18 AM, Keith Roberts wrote:
On Wed, 20 Jul 2011, cbulist@gmail.com wrote:
To: centos@centos.org From: "cbulist@gmail.com"cbulist@gmail.com Subject: [CentOS] Iptables - flooding console
Hi,
We are trying to track some specific rules using LOG as target. Everything is working well but the problem is that iptables is flooding the console with LOG messages. We tried --log level 4 on iptables rules but it didn't work. We fixed the problem changing KLOGD_OPTIONS value in /etc/sysconfig/syslog to: KLOG_OPTIONS="-c 4"
Is it the best option or we are missing something?
Thanks in advance
I had this problem as well. The firewall logs were being sent (tailed/tee'd ?) to the console, which is a pain if you are using mc or any other console application.
To fix it on Centos 5.5/6 I just added the following to the top of the /etc/syslog.conf file.
Deleted these lines as not in use:
# Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console
Replaced with: # Log all firewall messages to a file. kern.=debug /var/log/firewall-log
Obviously you need to make sure the firewall log file exists
-rw-r--r-- keith users 39039 Jul 20 15:24 firewall-log
Kind Regards,
Thanks Keith,
I tried your solution but it didn't work. (man 8 syslogd describes what you said) First I returned the default value on KLOG_OPTIONS, I restarted the syslog service but the iptables still continuous sending the log to console. I forget mention the info system:
CentOS 5.6
[root@server_56 ~]# uname -r 2.6.18-238.el5 [root@server_56 ~]# iptables -V iptables v1.3.5
Sincerely,
Julio
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
We prevent firewall messages from being logged to the console by setting kernel.printk in sysctl.conf.
kernel.printk = 3 4 1 7
Daniel
On Wed, 20 Jul 2011, cbulist@gmail.com wrote:
To: centos@centos.org From: "cbulist@gmail.com" cbulist@gmail.com Subject: Re: [CentOS] Iptables - flooding console
On 7/20/2011 10:18 AM, Keith Roberts wrote:
On Wed, 20 Jul 2011, cbulist@gmail.com wrote:
To: centos@centos.org From: "cbulist@gmail.com"cbulist@gmail.com Subject: [CentOS] Iptables - flooding console
Hi,
We are trying to track some specific rules using LOG as target. Everything is working well but the problem is that iptables is flooding the console with LOG messages. We tried --log level 4 on iptables rules but it didn't work. We fixed the problem changing KLOGD_OPTIONS value in /etc/sysconfig/syslog to: KLOG_OPTIONS="-c 4"
Is it the best option or we are missing something?
Thanks in advance
I had this problem as well. The firewall logs were being sent (tailed/tee'd ?) to the console, which is a pain if you are using mc or any other console application.
To fix it on Centos 5.5/6 I just added the following to the top of the /etc/syslog.conf file.
Deleted these lines as not in use:
# Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console
Replaced with: # Log all firewall messages to a file. kern.=debug /var/log/firewall-log
Obviously you need to make sure the firewall log file exists
-rw-r--r-- keith users 39039 Jul 20 15:24 firewall-log
Kind Regards,
Thanks Keith,
I tried your solution but it didn't work. (man 8 syslogd describes what you said) First I returned the default value on KLOG_OPTIONS, I restarted the syslog service but the iptables still continuous sending the log to console. I forget mention the info system:
CentOS 5.6
[root@server_56 ~]# uname -r 2.6.18-238.el5 [root@server_56 ~]# iptables -V iptables v1.3.5
OK Julio.
There was a kernel update last night, so here's what my 5.6 box has got on it:
[root@karsites ~]# uname -r 2.6.18-238.19.1.el5
[root@karsites ~]# iptables -V iptables v1.3.5
my /etc/sysconfig/syslog file is untouched by me:
###################
# Options to syslogd # -m 0 disables 'MARK' messages. # -r enables logging from remote machines # -x disables DNS lookups on messages recieved with -r # See syslogd(8) for more details SYSLOGD_OPTIONS="-m 0" # Options to klogd # -2 prints all kernel oops messages twice; once for klogd to decode, and # once for processing with 'ksymoops' # -x disables all klogd processing of oops messages entirely # See klogd(8) for more details KLOGD_OPTIONS="-x" # SYSLOG_UMASK=077 # set this to a umask value to use for all log files as in umask(1). # By default, all permissions are removed for "group" and "other".
#################
The only file I alter is /etc/syslog.conf which contains:
#################
# Log all firewall messages to a file. kern.=debug /var/log/firewall-log
# Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access. authpriv.* /var/log/secure
# Log all the mail messages in one place. mail.* -/var/log/maillog
# Log cron stuff cron.* /var/log/cron
# Everybody gets emergency messages *.emerg *
# Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log local7.* /var/log/boot.log
#################
and my IPtables rules for logging packets are:
#------------------------------------------------------# # create a new chain for apache connections #------------------------------------------------------#
iptables -N open_port_80
# LOG all local connections to apache port 80 iptables -A open_port_80 ! -i eth0 -p tcp --dport 80 \ -j LOG --log-level 7 --log-prefix 'Local Port 80 connects '
# ACCEPT all local connections to apache port 80 iptables -A open_port_80 ! -i eth0 -p tcp --dport 80 -j ACCEPT
#------------------------------------------------------#
Here's what I get in my firewall-log file. Just did a connect from localhost to check it's all working OK.
Jul 20 18:47:07 karsites kernel: Local Port 80 connects IN=lo OUT= MAC=00:00 :00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS= 0x00 PREC=0x00 TTL=64 ID=40422 DF PROTO=TCP SPT=59791 DPT=80 WINDOW=386 RES= 0x00 ACK FIN URGP=0
Maybe you need to take another look at your IPtables logging rule?
Kind Regards,
Keith
----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------
On 7/20/2011 12:52 PM, Keith Roberts wrote:
On Wed, 20 Jul 2011, cbulist@gmail.com wrote:
To: centos@centos.org From: "cbulist@gmail.com"cbulist@gmail.com Subject: Re: [CentOS] Iptables - flooding console
On 7/20/2011 10:18 AM, Keith Roberts wrote:
On Wed, 20 Jul 2011, cbulist@gmail.com wrote:
To: centos@centos.org From: "cbulist@gmail.com"cbulist@gmail.com Subject: [CentOS] Iptables - flooding console
Hi,
We are trying to track some specific rules using LOG as target. Everything is working well but the problem is that iptables is flooding the console with LOG messages. We tried --log level 4 on iptables rules but it didn't work. We fixed the problem changing KLOGD_OPTIONS value in /etc/sysconfig/syslog to: KLOG_OPTIONS="-c 4"
Is it the best option or we are missing something?
Thanks in advance
I had this problem as well. The firewall logs were being sent (tailed/tee'd ?) to the console, which is a pain if you are using mc or any other console application.
To fix it on Centos 5.5/6 I just added the following to the top of the /etc/syslog.conf file.
Deleted these lines as not in use:
# Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console
Replaced with: # Log all firewall messages to a file. kern.=debug /var/log/firewall-log
Obviously you need to make sure the firewall log file exists
-rw-r--r-- keith users 39039 Jul 20 15:24 firewall-log
Kind Regards,
Thanks Keith,
I tried your solution but it didn't work. (man 8 syslogd describes what you said) First I returned the default value on KLOG_OPTIONS, I restarted the syslog service but the iptables still continuous sending the log to console. I forget mention the info system:
CentOS 5.6
[root@server_56 ~]# uname -r 2.6.18-238.el5 [root@server_56 ~]# iptables -V iptables v1.3.5
OK Julio.
There was a kernel update last night, so here's what my 5.6 box has got on it:
[root@karsites ~]# uname -r 2.6.18-238.19.1.el5
[root@karsites ~]# iptables -V iptables v1.3.5
my /etc/sysconfig/syslog file is untouched by me:
###################
# Options to syslogd # -m 0 disables 'MARK' messages. # -r enables logging from remote machines # -x disables DNS lookups on messages recieved with -r # See syslogd(8) for more details SYSLOGD_OPTIONS="-m 0" # Options to klogd # -2 prints all kernel oops messages twice; once for klogd to decode, and # once for processing with 'ksymoops' # -x disables all klogd processing of oops messages entirely # See klogd(8) for more details KLOGD_OPTIONS="-x" # SYSLOG_UMASK=077 # set this to a umask value to use for all log files as in umask(1). # By default, all permissions are removed for "group" and "other".
#################
The only file I alter is /etc/syslog.conf which contains:
#################
# Log all firewall messages to a file. kern.=debug /var/log/firewall-log
# Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access. authpriv.* /var/log/secure
# Log all the mail messages in one place. mail.* -/var/log/maillog
# Log cron stuff cron.* /var/log/cron
# Everybody gets emergency messages *.emerg *
# Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log local7.* /var/log/boot.log
#################
and my IPtables rules for logging packets are:
#------------------------------------------------------# # create a new chain for apache connections #------------------------------------------------------#
iptables -N open_port_80
# LOG all local connections to apache port 80 iptables -A open_port_80 ! -i eth0 -p tcp --dport 80 \ -j LOG --log-level 7 --log-prefix 'Local Port 80 connects '
# ACCEPT all local connections to apache port 80 iptables -A open_port_80 ! -i eth0 -p tcp --dport 80 -j ACCEPT
#------------------------------------------------------#
Here's what I get in my firewall-log file. Just did a connect from localhost to check it's all working OK.
Jul 20 18:47:07 karsites kernel: Local Port 80 connects IN=lo OUT= MAC=00:00 :00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS= 0x00 PREC=0x00 TTL=64 ID=40422 DF PROTO=TCP SPT=59791 DPT=80 WINDOW=386 RES= 0x00 ACK FIN URGP=0
Maybe you need to take another look at your IPtables logging rule?
Kind Regards,
Keith
Keith and Daniel,
Thanks so much for your help!.
Keith you are right. I had --log-level 4 in the iptables rules because I played with that option in order to fix the problem. Now, it's working well. I didn't update the kernel.
Sincerely,
Julio
On Wed, 20 Jul 2011, cbulist@gmail.com wrote:
*snip*
Keith and Daniel,
Thanks so much for your help!.
Keith you are right. I had --log-level 4 in the iptables rules because I played with that option in order to fix the problem. Now, it's working well. I didn't update the kernel.
Hi Julio. Very pleased to hear you have it working now.
It's also nice to be right for a change - if only life was as simple as writing IPtables rules ;)
Kind Regards,
Keith Roberts
----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------
--On Wednesday, July 20, 2011 10:44 AM -0500 cbulist@gmail.com wrote:
We are trying to track some specific rules using LOG as target. Everything is working well but the problem is that iptables is flooding the console with LOG messages.
In addition to the other suggestions, you could switch to rsyslog, included in CentOS base. It provides much more flexible filtering options. Add a unique string to your iptables log lines and match on it to divert all of its logs to a separate file (or virtual console).
After switching to rsyslog, my /var/log/messages rarely gets a new message, as I've diverted everything to subsystem-specific log files. (Remember to add logrotate entries for them so your disk doesn't fill up.)
On 08/01/2011 03:23 PM, Kenneth Porter wrote:
--On Wednesday, July 20, 2011 10:44 AM -0500 cbulist@gmail.com wrote:
We are trying to track some specific rules using LOG as target. Everything is working well but the problem is that iptables is flooding the console with LOG messages.
In addition to the other suggestions, you could switch to rsyslog, included in CentOS base. It provides much more flexible filtering options. Add a unique string to your iptables log lines and match on it to divert all of its logs to a separate file (or virtual console).
After switching to rsyslog, my /var/log/messages rarely gets a new message, as I've diverted everything to subsystem-specific log files. (Remember to add logrotate entries for them so your disk doesn't fill up.)
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Here is an example using rsyslog: note log-level7 is kern.debug
iptables log line: -A ACCEPTnLOG -m limit --limit 30/min -j LOG --log-level 7 --log-prefix "fw (ACCEPTnLOG) "
part of rsyslog.conf - first don't log kern.debug messages to /var/log/messages ... *.info;kern.!=debug;mail.none;authpriv.none;cron.none /var/log/messages ... #put messages that start with "fw " in /var/log/firewall.log :msg, startswith, "fw " -/var/log/firewall.log
-
cbulist@gmail.com -
Daniel DeFreez -
Keith Roberts -
Kenneth Porter -
Steve Clark