RE: [suse-security] SuSE-Firewall logging
No it's not possible to log only the firewall messages to a separate file. These log entries come from the "kernel", and the filtering which can be done via syslog is not very extensive. You can basically only filter on what category (called "facility") the log entry is to be recorded as, and choices there are very limited. In this case, it's "kernel". That means that everything logged under "kernel" will always go to the same file. Sorry you can't filter on which program the log entry came from. The default setup when you install the SuSE firewal package is to log all "kernel" entries to /var/log/firewall. The rest stays in /var/log/messages. Alternatively, reduce the log level for your firewall setup. Volker
On Wed, 22 Nov 2000, Volker Kuhlmann wrote:
No it's not possible to log only the firewall messages to a separate file. These log entries come from the "kernel", and the filtering which can be done via syslog is not very extensive.
You can basically only filter on what category (called "facility") the log entry is to be recorded as, and choices there are very limited. In this case, it's "kernel". That means that everything logged under "kernel" will always go to the same file. Sorry you can't filter on which program the log entry came from. The default setup when you install the SuSE firewal package is to log all "kernel" entries to /var/log/firewall. The rest stays in /var/log/messages.
Alternatively, reduce the log level for your firewall setup.
Volker
Hmm. I haven't been paying enough attention to this thread to notice if I'm covering ground somebody already covered, but Volker left out an important part of syslog configuration so I'm throwing in my bits. With syslog you get not only the "facility" category (i.e. "kern") but also the "priority" (or "severity") level. The priorities range from debug, info, notice, warn or warning ... to emerg or panic (see syslog.conf(5)). Normally, a syslog.conf entry that states a priority level (i.e. news.crit) means it will log "news" facility syslog messages of priority "crit" AND HIGHER to the associated file/device. The syslog in use by SuSE and most other Linuses will allow you to log ONLY that facility.priority by prepending a "=" to it, i.e. "news.=crit". By default on my install of SuSE (7.0), there's a syslog entry "*.*;mail.none;news.none -/var/log/messages" which means that everything except mail.* or news.* will go into the /var/log/messages file. Installing the firewals package adds an entry "kern.* /var/log/firewall" which means that any priority of message of facility kern will go into that file. If you want to avoid duplication between logfiles you could change your /var/log/messages entry and add a "kern.none" to it. You could also get a finer-grained approach if you know which "priority" (more likely priorities) the ipchains package uses to log its firewall syslog entries by disallowing only that priority in the /var/log/messages file and/or only allowing that priority in the /var/log/firewall file. I don't know a way to see the priority(s) ipchains uses except to grab the SuSE kernel source and read through it; somewhere there'll be some #defines for syslog levels. If it's like most other tools that use syslog, it'll have different priorities for different types of message. Sorry for the long-winded message. Although syslog is well-documented (syslog.conf(5)) it can be kind of confusing if you haven't spent time customizing it before. John Ritchie
participants (2)
-
John Ritchie -
Volker Kuhlmann