Bonjour,
J'ai un soucis avec syslog-ng et mes logs iptables, non seulement syslog-ng destine les logs vers /var/log/firewall mais je les trouve aussi dans ma console et à la sortie de la commande dmesg malgré un dmesg -n 1. J'ai essayé tout les niveaux (info, warning, ...) de log et c'est tjrs le même résultat. :o
ma règle iptables:
iptables -A INPUT -m state --state INVALID -m limit --limit 3/s -j LOG --log-tcp-option --log-ip-options --log-level warning --log-prefix "## INVALID INPUT ## "
mon fichier de conf syslog-ng.conf:
#
# Configuration file for syslog-ng under Debian
#
# attempts at reproducing default syslog behavior
# the standard syslog levels are (in descending order of priority):
# emerg alert crit err warning notice info debug
# the aliases "error", "panic", and "warn" are deprecated
# the "none" priority found in the original syslogd configuration is
# only used in internal messages created by syslogd
######
# options
options {
#
long_hostnames(0);
# the time to wait before a died connection is re-established
# (default is 60)
time_reopen(10);
# the time to wait before an idle destination file is closed
# (default is 60)
time_reap(360);
# the number of lines buffered before written to file
# you might want to increase this if your disk isn't catching with
# all the log messages you get or if you want less disk activity
# (say on a laptop)
# (default is 0)
#sync(0);
# the number of lines fitting in the output queue
log_fifo_size(2048);
# enable or disable directory creation for destination files
create_dirs(yes);
# default owner, group, and permissions for log files
# (defaults are 0, 0, 0600)
#owner(root);
group(adm);
perm(0640);
# default owner, group, and permissions for created directories
# (defaults are 0, 0, 0700)
#dir_owner(root);
#dir_group(root);
dir_perm(0755);
# enable or disable DNS usage
# syslog-ng blocks on DNS queries, so enabling DNS may lead to
# a Denial of Service attack
# (default is yes)
use_dns(no);
# maximum length of message in bytes
# this is only limited by the program listening on the /dev/log Unix
# socket, glibc can handle arbitrary length log messages, but -- for
# example -- syslogd accepts only 1024 bytes
# (default is 2048)
#log_msg_size(2048);
};
######
# sources
# all known message sources
source s_all {
# message generated by Syslog-NG
internal();
# standard Linux log source (this is the default place for the syslog()
# function to send logs to)
unix-stream("/dev/log");
# messages from the kernel
file("/proc/kmsg" log_prefix("kernel: "));
# use the above line if you want to receive remote UDP logging messages
# (this is equivalent to the "-r" syslogd flag)
# udp();
};
######
# destinations
# some standard log files
destination df_auth { file("/var/log/auth.log"); };
destination df_syslog { file("/var/log/syslog"); };
destination df_cron { file("/var/log/cron.log"); };
destination df_daemon { file("/var/log/daemon.log"); };
destination df_kern { file("/var/log/kern.log"); };
destination df_lpr { file("/var/log/lpr.log"); };
destination df_mail { file("/var/log/mail.log"); };
destination df_user { file("/var/log/user.log"); };
destination df_uucp { file("/var/log/uucp.log"); };
destination df_firewall { file("/var/log/firewall/firewall.log"); };
destination df_pureftpd { file("/var/log/pure-ftpd/ftp.log"); };
destination df_spamd { file("/var/log/spam/spam.log"); };
destination df_ssh { file("/var/log/ssh/ssh.log"); };
# these files are meant for the mail and news systems log files
# and provide re-usable destinations for {mail,news,...}.info,
# {mail,news,...}.notice, etc.
destination df_facility_dot_info { file("/var/log/$FACILITY.info"); };
destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); };
destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); };
destination df_facility_dot_err { file("/var/log/$FACILITY.err"); };
destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); };
# some more classical and useful files found in standard syslog configurations
destination df_debug { file("/var/log/debug"); };
destination df_messages { file("/var/log/messages"); };
# pipes
# a console to view log messages under X
destination dp_xconsole { pipe("/dev/xconsole"); };
# consoles
# this will send messages to everyone logged in
destination du_all { usertty("*"); };
######
# filters
# all messages from the auth and authpriv facilities
filter f_auth { facility(auth, authpriv); };
# all messages except from the auth and authpriv facilities
filter f_syslog { not facility(auth, authpriv) and not match(".*IN=.*OUT=.*MAC=.*") and not match("## Identd ## ") and not match("pure-ftpd") and not match("spamd"); };
# respectively: messages from the cron, daemon, kern, lpr, mail, news, user,
# and uucp facilities
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern) and not match(".*IN=.*OUT=.*MAC=.*") and not match("## Identd ## ") and not match("pure-ftpd") and not match("spamd"); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_news { facility(news); };
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };
# some filters to select messages of priority greater or equal to info, warn,
# and err
# (equivalents of syslogd's *.info, *.warn, and *.err)
filter f_at_least_info { level(info..emerg); };
filter f_at_least_notice { level(notice..emerg); };
filter f_at_least_warn { level(warn..emerg); };
filter f_at_least_err { level(err..emerg); };
filter f_at_least_crit { level(crit..emerg); };
# all messages of priority debug not coming from the auth, authpriv, news, and
# mail facilities
filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
# all messages of info, notice, or warn priority not coming form the auth,
# authpriv, cron, daemon, mail, and news facilities
filter f_messages {
level(info,notice,warn)
and not facility(auth,authpriv,cron,daemon,mail,news)and not match (".*IN=.*OUT=.*MAC=.*") and not match ("pure-ftpd*") and not match("spamd*") and not match("syslog-ng*:*STATS:*dropped"); };
# messages with priority emerg
filter f_emerg { level(emerg); };
# complex filter for messages usually sent to the xconsole
filter f_xconsole {
facility(daemon,mail)
or level(debug,info,notice,warn)
or (facility(news)
and level(crit,err,notice));
};
filter f_iptables { match(".*IN=.*OUT=.*MAC=.*"); };
filter f_pureftpd { match("pure-ftpd*"); };
filter f_spamd { match("spamd*"); };
filter f_ssh { match("sshd*"); };
######
# logs
# order matters if you use "flags(final);" to mark the end of processing in a
# "log" statement
# these rules provide the same behavior as the commented original syslogd rules
# auth,authpriv.* /var/log/auth.log
log {
source(s_all);
filter(f_auth);
destination(df_auth);
};
# *.*;auth,authpriv.none -/var/log/syslog
log {
source(s_all);
filter(f_syslog);
destination(df_syslog);
};
# this is commented out in the default syslog.conf
# cron.* /var/log/cron.log
#log {
# source(s_all);
# filter(f_cron);
# destination(df_cron);
#};
# daemon.* -/var/log/daemon.log
log {
source(s_all);
filter(f_daemon);
destination(df_daemon);
};
# kern.* -/var/log/kern.log
log {
source(s_all);
filter(f_kern);
destination(df_kern);
};
# lpr.* -/var/log/lpr.log
log {
source(s_all);
filter(f_lpr);
destination(df_lpr);
};
# mail.* -/var/log/mail.log
log {
source(s_all);
filter(f_mail);
destination(df_mail);
};
# user.* -/var/log/user.log
log {
source(s_all);
filter(f_user);
destination(df_user);
};
# uucp.* /var/log/uucp.log
log {
source(s_all);
filter(f_uucp);
destination(df_uucp);
};
# mail.info -/var/log/mail.info
log {
source(s_all);
filter(f_mail);
filter(f_at_least_info);
destination(df_facility_dot_info);
};
# mail.warn -/var/log/mail.warn
log {
source(s_all);
filter(f_mail);
filter(f_at_least_warn);
destination(df_facility_dot_warn);
};
# mail.err /var/log/mail.err
log {
source(s_all);
filter(f_mail);
filter(f_at_least_err);
destination(df_facility_dot_err);
};
# news.crit /var/log/news/news.crit
log {
source(s_all);
filter(f_news);
filter(f_at_least_crit);
destination(df_facility_dot_crit);
};
# news.err /var/log/news/news.err
log {
source(s_all);
filter(f_news);
filter(f_at_least_err);
destination(df_facility_dot_err);
};
# news.notice /var/log/news/news.notice
log {
source(s_all);
filter(f_news);
filter(f_at_least_notice);
destination(df_facility_dot_notice);
};
# *.=debug;\
# auth,authpriv.none;\
# news.none;mail.none -/var/log/debug
log {
source(s_all);
filter(f_debug);
destination(df_debug);
};
# *.=info;*.=notice;*.=warn;\
# auth,authpriv.none;\
# cron,daemon.none;\
# mail,news.none -/var/log/messages
log {
source(s_all);
filter(f_messages);
destination(df_messages);
};
# *.emerg *
log {
source(s_all);
filter(f_emerg);
destination(du_all);
};
# daemon.*;mail.*;\
# news.crit;news.err;news.notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn |/dev/xconsole
log {
source(s_all);
filter(f_xconsole);
destination(dp_xconsole);
};
# Firewall
log {
source(s_all);
filter(f_iptables);
destination(df_firewall);
};
# FTP
log {
source(s_all);
filter(f_pureftpd);
destination(df_pureftpd);
};
# Spam
log {
source(s_all);
filter(f_spamd);
destination(df_spamd);
};
# SSH
log {
source(s_all);
filter(f_ssh);
destination(df_ssh);
};
Qlq a une solution :o
Forum Linux.général Syslog-ng et iptables
21
oct.
2004
# j'ai eu le même problème...
Posté par Bruno Muller . Évalué à 1.
# prk installé ulogd si j'ai deja syslog-ng
Posté par WaVeR . Évalué à 1.
# Personne n'a une idée :o
Posté par WaVeR . Évalué à 1.
[^] # Re: Personne n'a une idée :o
Posté par Raoul Volfoni (site web personnel) . Évalué à 2.
S'il s'agit de ne plus enregistrer les logs d'Iptable tu met en commentaire:
# Firewall
# log {source(s_all); filter(f_iptables); destination(df_firewall);};
Ton fichier ne sera plus alimenté. C'est pas plus compliqué.
[^] # Re: Personne n'a une idée :o
Posté par WaVeR . Évalué à 1.
[^] # Re: Personne n'a une idée :o
Posté par WaVeR . Évalué à 1.
Suivre le flux des commentaires
Note : les commentaires appartiennent à celles et ceux qui les ont postés. Nous n’en sommes pas responsables.