/var/log/{messages,firewall,warn}
On my SuSE 6.4 system, I am using the firewal and scanlogd packages. While familiarizing myself with the system, I'd at one point removed those packages, then re-installed them. Now the log files in /var/log don't seem quite what I recall them being originally, but I could be mistaken. I get identical loggings from firewall in /var/log/firewall and /var/log/messages. This results in /var/log/messages getting VERY big, especially due to web traffic to the machine (a lot of ALLOW's). Can I change a config to prevent firewall from making duplicate entries to /var/log/messages? Also, scanlogd does not seem to log any scannings except for those from localhost (127.0.0.1). I've been playing with it, and running nmap on another machine on my local subnet, but these scans (not in any "stealth" mode) never get logged and scanlogd is most definitely running. I don't see any config files for scanlogd, and I didn't see any references to one in the man page. Any help is greatly apprecitated. Thanks! __________________________________________________ Do You Yahoo!? Kick off your party with Yahoo! Invites. http://invites.yahoo.com/
* Jason P. Stanford wrote on Tue, Aug 01, 2000 at 11:35 -0700:
especially due to web traffic to the machine (a lot of ALLOW's). Can I change a config to prevent firewall from making duplicate entries to /var/log/messages?
That's not possible (at least with ipchains). You should check your configuration and enviroment, it's bad if you get lot's of prohibited connection attempts. You have to reduce it, otherwise your logging makes no sense, since you will never be able to read the logs! If you have "expected" denies, insert a rule that reject/denies those packets without logging.
Also, scanlogd does not seem to log any scannings except for those from localhost (127.0.0.1).
Here it works...
I've been playing with it, and running nmap on another machine on my local subnet, but these scans (not in any "stealth" mode) never
scanlogd should detect stealth mode scans.
get logged and scanlogd is most definitely running. I don't see any config files for scanlogd,
There isn't a config file. Some tunables you can modify at compile-time. scanlogd uses some #defines in some include files (look at the source for docu :)). If you need are more complex and advanced IDS tool, you may take a look to snort (www.snort.org), which is highly configurable. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
On Tue, 1 Aug 2000, Steffen Dettmer wrote:
* Jason P. Stanford wrote on Tue, Aug 01, 2000 at 11:35 -0700:
especially due to web traffic to the machine (a lot of ALLOW's). Can I change a config to prevent firewall from making duplicate entries to /var/log/messages?
That's not possible (at least with ipchains). You should check your configuration and enviroment, it's bad if you get lot's of prohibited connection attempts. You have to reduce it, otherwise your logging makes no sense, since you will never be able to read the logs!
If you have "expected" denies, insert a rule that reject/denies those packets without logging.
The problem is that these logs "from" ipchains actually come from the kernel; ipchains is only used to feed the rules into the kernel. Messages from the kernel are being read by klogd from /proc/kmsg and then forwarded to syslogd. Here's your chance to get hold of the logs: change the /etc/syslog.conf to reflect the facility kernel _only_ in the firewall log (which is actually the kernel log). This can be done by changing the line *.*;mail.none;news.none -/var/log/messages to *.*;mail.none;news.none;kern.none -/var/log/messages I bet the last line reads kern.* /var/log/firewall :-)
Also, scanlogd does not seem to log any scannings except for those from localhost (127.0.0.1).
Here it works...
Same here. [...] Regards, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -
* Roman Drahtmueller wrote on Wed, Aug 02, 2000 at 03:29 +0200:
The problem is that these logs "from" ipchains actually come from the kernel; ipchains is only used to feed the rules into the kernel. Messages from the kernel are being read by klogd from /proc/kmsg and then forwarded to syslogd. Here's your chance to get hold of the logs: change the
kern.* /var/log/firewall
I assume logging is done using always the same priority, but I've found no hint in the ipchains man page. In this case it should be possible to exchange the wildcard "*" with this priority. I would suggest to name this file "kernel" and not firewall, since IMHO "firewall" is misleading here. In a file firewall I wouldn't expect Harddisk I/O errors and so on. It's a pitty that syslog is to silly to sort by the tag field, but you could make a little (i.e. perl-) Script or some program doing this. Syslogd is able to write down to a named pipe, that could be read out be such a script. What do you think? oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Hallo, * On Wed, Aug 02, 2000 at 09:51:25AM +0200, Steffen Dettmer wrote:
I assume logging is done using always the same priority, but I've found no hint in the ipchains man page. In this case it should be possible to exchange the wildcard "*" with this priority. The IPCHAINS-HOWTO says: ... On standard Linux systems, this kernel output is captured by klogd (the kernel logging daemon) which hands it to syslogd (the system logging daemon). The `/etc/syslog.conf' controls the behaviour of syslogd, by specifying a destination for each `facility' (in our case, the facility is "kernel") and `level' (for ipchains, the level used is "info"). ...
Rgds. Heiko.
participants (4)
-
Heiko Degenhardt -
Jason P. Stanford -
Roman Drahtmueller -
Steffen Dettmer