Additional text in firewall message
I have a honeypot which logs unwanted incoming packets in /var/log/firewall. I needed to reinstall Tumbleweed on that system. I use a self designed iptables file with rules. I use to get lines like: <timestamp> <hostname> kernel: [ dddd.dddddd] <log-text-defined-in-iptables> IN=eth0 .... where d is a digit. Now instead of [ dddd.dddddd], I get [ dddd.dddddd][ C0] I wonder where this [ C0] comes from and if I can suppress that part? When using firewalld with nftables and enabling LogDenied=unicast the <log- text> is: "filter_IN_public_REJECT: " . This includes the double quotes, which seems odd. -- fr.gr. member openSUSE Freek de Kruijf
On 04. 11. 21, 18:23, Freek de Kruijf wrote:
I have a honeypot which logs unwanted incoming packets in /var/log/firewall. I needed to reinstall Tumbleweed on that system. I use a self designed iptables file with rules.
I use to get lines like: <timestamp> <hostname> kernel: [ dddd.dddddd] <log-text-defined-in-iptables> IN=eth0 .... where d is a digit. Now instead of [ dddd.dddddd], I get [ dddd.dddddd][ C0]
I wonder where this [ C0] comes from and if I can suppress that part?
From printk code. It's the context which the message is printed from. Enabled as a part of configs unification: https://bugzilla.suse.com/show_bug.cgi?id=1189674 I don't think there is a way to turn it off. -- js suse labs
Op vrijdag 5 november 2021 08:29:37 CET schreef Jiri Slaby:
On 04. 11. 21, 18:23, Freek de Kruijf wrote:
I have a honeypot which logs unwanted incoming packets in /var/log/firewall. I needed to reinstall Tumbleweed on that system. I use a self designed iptables file with rules.
I use to get lines like: <timestamp> <hostname> kernel: [ dddd.dddddd] <log-text-defined-in-iptables> IN=eth0 .... where d is a digit. Now instead of [ dddd.dddddd], I get [ dddd.dddddd][ C0]
I wonder where this [ C0] comes from and if I can suppress that part?
From printk code. It's the context which the message is printed from. Enabled as a part of configs unification: https://bugzilla.suse.com/show_bug.cgi?id=1189674
I don't think there is a way to turn it off.
To parse this line in Python with regex, would that part always be recognized by \[\s*\w+[0-9]+\] or would it be better to use \[.+\] ? -- fr.gr. member openSUSE Freek de Kruijf
On 05. 11. 21, 10:45, Freek de Kruijf wrote:
To parse this line in Python with regex, would that part always be recognized by \[\s*\w+[0-9]+\] or would it be better to use \[.+\] ?
https://elixir.bootlin.com/linux/latest/source/kernel/printk/printk.c#L1266 I doubt it will change much, if at all. So yes, \w+[0-9]+ should work. regards, -- js suse labs
Op woensdag 10 november 2021 07:16:19 CET schreef Jiri Slaby:
On 05. 11. 21, 10:45, Freek de Kruijf wrote:
To parse this line in Python with regex, would that part always be recognized by \[\s*\w+[0-9]+\] or would it be better to use \[.+\] ?
https://elixir.bootlin.com/linux/latest/source/kernel/printk/printk.c#L1266
I doubt it will change much, if at all. So yes, \w+[0-9]+ should work.
regards,
Thanks! -- fr.gr. member openSUSE Freek de Kruijf
participants (2)
-
Freek de Kruijf -
Jiri Slaby