Ashley Gould wrote:

I've setup SuSEfirewall2 on my webserver to log all connections. It is very noisy in the logs. Fine. I expected that. What I didn't expect is syslog writing kernel messages to 3 log files. All the iptables entries are triplicated in /var/log/message|warn|kernal. Much more noise than I bargained for. My 5GB /var partition is not up to it.

So I reset SuSEfirewall2 to log only "critical" connections. It seems I still get just as much log activity as before (but perhaps not to all 3 logs?).

There is no difference in log options, just in the amount of log rules. Newer SuSEfirewall2 use the iptables limit module to prevent flooding the log.

My questions are,

first, what does SuSEfirewall2 consider as "critical" connections?

It used to be the ports that had explicit drop rules due to the autoprotect stuff.

and second, how can I get syslog to write these messages into just one log file?

You can modify the log options via FW_LOG in the configuration file. AFAIK syslog-ng provides more advanced matching rules to allow finer grained log filtering. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/