Hello list, I'm building a firewall-system with cisco-routers and a linux-box. All logging of the machines should be send via syslog to a log-box. For each machine I want a separate logfile. In cisco-ios I can say: logging facility local0 logging log-box, which tells the router to send all logging to log-box using facility local0. And tell the syslog on the log-box: facility local0 should be dumped in /var/log/router1 But I don't see any chance to change the facility of ipchains. It has the facility kern so that the logging of the firewall-linux-box is mixed together with the local logging of the log-box. Is there any change to configure syslog or ipchains to have two separate logfiles for the firewall-box and the log-box on the log-box. THX Guido -- ----------------- Guido Tschakert SRC, SysAd -----------------
one more reason to use iptables, you can totally configure what it logs to, including prepending messages/etc, very nifty. ipchains never had this feature. Of course you could simply replace syslog with something better on the Linux machines (several options). http://www.seifried.org/lasg/ Kurt Seifried, kurt@seifried.org PGP Key ID: 0xAD56E574 Fingerprint: A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/ ----- Original Message ----- From: "Guido Tschakert" <gt@src-gmbh.de> To: <suse-security@suse.com> Sent: Friday, September 14, 2001 4:49 AM Subject: [suse-security] Configuration Problems with syslog
Hello list,
I'm building a firewall-system with cisco-routers and a linux-box. All logging of the machines should be send via syslog to a log-box. For each machine I want a separate logfile. In cisco-ios I can say: logging facility local0 logging log-box, which tells the router to send all logging to log-box using facility local0. And tell the syslog on the log-box: facility local0 should be dumped in /var/log/router1 But I don't see any chance to change the facility of ipchains. It has the facility kern so that the logging of the firewall-linux-box is mixed together with the local logging of the log-box. Is there any change to configure syslog or ipchains to have two separate logfiles for the firewall-box and the log-box on the log-box.
THX Guido -- ----------------- Guido Tschakert SRC, SysAd -----------------
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Yup, On 14-Sep-01 Guido Tschakert wrote:
Hello list,
I'm building a firewall-system with cisco-routers and a linux-box. All logging of the machines should be send via syslog to a log-box. For each machine I want a separate logfile. In cisco-ios I can say: logging facility local0 logging log-box, which tells the router to send all logging to log-box using facility local0. And tell the syslog on the log-box: facility local0 should be dumped in /var/log/router1 But I don't see any chance to change the facility of ipchains. It has the facility kern so that the logging of the firewall-linux-box is mixed together with the local logging of the log-box. Is there any change to configure syslog or ipchains to have two separate logfiles for the firewall-box and the log-box on the log-box.
Indeed, ipchains has facility kern, but also priority info. To separate the ipchains-messages from /var/log/messages, you will have to modify your syslog.conf. On the bottom of your syslog.conf, you will find an entry like: # # save the rest in one file # *.*;mail.none;news.none -/var/log/messages This entry states that all messages of all facilities (with all priorities) should be logged to /var/log/messages, except for any log messages concerning mail or news. *Above* this entry, put in a new config line: kern.info -/var/log/ipchains.log This will log all kern.info messages (ipchains messages) to /var/log/ipchains.log . Note the "-" in front of the path to the log file; this prevents syslogd from sync�ing data from mem to hd everytime it writes to the file, which helps to increase performance. Next, adjust the log-all line, like so: # # save the rest in one file # *.*;kern.!=info;mail.none;news.none -/var/log/messages This saves all messages to /var/log/messages like before, except kern logs with priority info, which already are saved in /var/log/ipchains.log. Likewise, if you want to save all messages to facility local0 in one file, without doubling the logs to /var/log/messages, you should put "local0.none" into the log-all line. Btw., all of these infos can be found in the manpage of syslog.conf .
THX Guido -- ----------------- Guido Tschakert SRC, SysAd -----------------
Boris Lorenz <bolo@lupa.de> ---
participants (3)
-
Boris Lorenz -
Guido Tschakert -
Kurt Seifried