On Sat, 2002-08-03 at 14:19, Pam R wrote:
Hi
I'm running 8.0 with a stock SuSEfirewall2 setup and a cable modem, and have 2 questions about logging:
1) /var/log/warn, /var/log/firewall, and /var/log/messages all seem to contain a similar mix of information - for example in /var/log/firewall I see
Aug 3 18:15:38 betsy kernel: eth1: no IPv6 routers present Aug 3 18:17:46 betsy kernel: EXT2-fs warning: maximal mount count reached, running e2fsck is recommended Aug 3 18:18:19 betsy kernel: SuSE-FW-UNAUTHORIZED-TARGET IN=eth1 OUT= MAC=01:00:5e:00:00:01:00:20:40:67:0f:eb:08:00 SRC=192.168.100.1 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=0 PROTO=2
I don't see how the first 2 items here relate to the firewall ? But the same items also appear in /var/log/warn and /var/log/messages. This seems to be a bit of an overkill, how can I make sure that only firewall messages go to the firewall log ? And how can I stop firewall messages going to the other 2 log files? And what is the purpose of /var/log/warn?
The default SuSE configuration logs some messages in multiple places as you observed. You can see what gets logged where by looking at /etc/syslog.conf. Essentially, any message (from a specified service) of a certain severity level or higher gets logged to the file or device listed on the right hand side of the syslog.conf file. You can see the last entry specifies kern.* -/var/log/firewall which means log ALL kernel messages to /var/log/firewall. Does this make sense? Well, since the iptables/netfilter stuff comes from the kernel, probably so, but you will also get other kernel messages that are not related to the firewall. I'm not sure what severity level netfilter messages are typically set with, but you may want to look into it if it bothers you. Maybe you can cut down the number of non-firewall related messages. Another approach might be to let everything get dumped into /var/log/messages and then use a program or script to do pull out just the stuff you want to see.
2) I seem to get SuSE-FW-UNAUTHORIZED-TARGET reports every minute or two. They are as far as I can tell all due to IGMP chat between routers on the cable system and are basically harmless except that the messages quickly fill up the log(s). Is thare any way I can tell SuSEfirewall2 not to log this type of transaction?
If they are just informational or warnings, you could set the logging to only log higher severity messages. Check man syslog.conf. Best Regards, Keith -- LPIC-2, MCSE, N+ Right behind you, I see the millions Got spam? Get spastic http://spastic.sourceforge.net