[SLE] SuSEfirewall2 & dmesg
Since I started running SuSEfirewall2, it constantly logs to the dmesg buffer, making dmesg pretty much useless for anything other than looking at iptables logs. I can look at that in syslog. I'd like my dmesg buffer back. Is there a way to configure SuSEfirewall2 to not send stuff into the dmesg buffer but instead only log to /var/log/messages? I looked in /etc/sysconfig/SuSEfirewall but didn't see in there how to accomplish this. Thanks Michael -- San Francisco, CA -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On 20/07/06 07:30, Michael Nelson wrote:
Since I started running SuSEfirewall2, it constantly logs to the dmesg buffer, making dmesg pretty much useless for anything other than looking at iptables logs. I can look at that in syslog. I'd like my dmesg buffer back. Is there a way to configure SuSEfirewall2 to not send stuff into the dmesg buffer but instead only log to /var/log/messages?
I looked in /etc/sysconfig/SuSEfirewall but didn't see in there how to accomplish this. AFAIK, dmesg is only an agent to read the kernel ring buffer, which is where everything from the kernel goes if it is to be logged anywhere. That includes everything logged by iptables. Stuff that goes into the buffer is then read by the syslog agent and written to the appropriate file(s). In SuSE, the default syslog is syslog-ng, which is highly configurable -- for example, with couple of filter definitions, everything that is logged by iptables can be sent to a separate firewall log file.
The SuSEfirewall is written so that everything that gets logged has a prefix beginning SFW2. You can use this to read the kernel buffer directly, but avoid having to read all the firewall entries: dmesg |grep -v SFW2. Otherwise, your only recourse would seem to be to turn off all firewall logging, which is something you probably do not wish to do. -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Thursday 20 July 2006 9:30 am, Michael Nelson wrote: <snip>
Is there a way to configure SuSEfirewall2 to not send stuff into the dmesg buffer but instead only log to /var/log/messages?
Not directly, and certainly not from the current version of the GUI you can click on in yast2. The /sbin/SuSEfirewall2 script is hard-coded to use the LOG target, which of course plops the messages into the kernel ring buffer where both dmesg and syslog can see it. The ULOG target was implemented to allow logging to go through userspace instead, but most firewall building tools (including SuSEfirewall2) don't make use of it. You would need to either go through all 2000-ish lines of /sbin/SuSEfirewall2's Bourne shell code and "fix" all of the -j LOG targets to use ULOG instead, or a better idea is to write a quick-and-dirty perl/sed/awk/whatever script to alter the generated iptables rules to use ULOG. (Something along the lines of iptables-save | sed -e 's/\-j LOG/-j ULOG/' | iptables-restore or similar) Then you'll need to enable/configure ulogd to pick up the messages and either drop them into a file or feed them to syslog-ng where you can then write a rule to put them in /var/log/messages.
I looked in /etc/sysconfig/SuSEfirewall but didn't see in there how to accomplish this.
SIDE NOTE: A simpler solution might be to turn off most of the logging in the firewall. Knowing that there were 935 failed attempts to ping your machine yesterday might make you feel better, but beyond initial debugging, it's not useful knowledge. It's not like you can control who tries to hit your firewall or how often. A better approach would be to detect when something gets through that shouldn't, and that's not something a single firewall is going to know. Better to use two firewalls with two different technologies, one to block everything you don't want and log none of it, and a second one to silently pass what you do want, and block/log anything it sees that the first one should have stopped. That way, the only log messages you'll see are the ones that you really need to pay attention to. However, if you really want to make iptables play nice with dmesg, and worry about your logfile analysis strategy later, then start by looking at this: http://wiki.linuxquestions.org/wiki/Dmesg Then have a look through the /usr/share/doc/packages/SuSEfirewall2 directory so you understand how all the scripts fit together, read up on ulogd and syslog-ng if necessary, and make your changes. As always, backups are really good for keeping the karma up. JA
Thanks Michael
--
San Francisco, CA
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Thu, Jul 20, 2006 at 03:48:09PM -0400, JA wrote:
Not directly, and certainly not from the current version of the GUI you can click on in yast2. The /sbin/SuSEfirewall2 script is hard-coded to use the LOG target, which of course plops the messages into the kernel ring buffer where both dmesg and syslog can see it. The ULOG target was implemented to allow logging to go through userspace instead, but most firewall building tools (including SuSEfirewall2) don't make use of it.
Thanks. RHEL4 and CentOS4 manage to have an iptables setup that works just fine without spewing so much crap into the kernel ring buffer that dmesg becomes useless. This must be another SuSE/Novell "enhancement".
You would need to either go through all 2000-ish lines of /sbin/SuSEfirewall2's Bourne shell code and "fix" all of the -j LOG targets to use ULOG instead
Tried that, it didn't work. Thanks much for trying to help. I think I will just shut off SFW2 and convert it to a manual iptable setup. That method is easier for me to manage anyway. Michael -- San Francisco, CA -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On 20/07/06 20:23, Michael Nelson wrote:
On Thu, Jul 20, 2006 at 03:48:09PM -0400, JA wrote:
Not directly, and certainly not from the current version of the GUI you can click on in yast2. The /sbin/SuSEfirewall2 script is hard-coded to use the LOG target, which of course plops the messages into the kernel ring buffer where both dmesg and syslog can see it. The ULOG target was implemented to allow logging to go through userspace instead, but most firewall building tools (including SuSEfirewall2) don't make use of it.
Thanks. RHEL4 and CentOS4 manage to have an iptables setup that works just fine without spewing so much crap into the kernel ring buffer that dmesg becomes useless. This must be another SuSE/Novell "enhancement".
I have always found it is better to err on the side of more information in the logs than less. SuSE seems to agree, at least when it concerns the firewall. Perhaps my previous message got lost in the mail: try "dmesg | grep -v SFW2" -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Fri, Jul 21, 2006 at 01:24:34AM -0600, Darryl Gregorash wrote:
Perhaps my previous message got lost in the mail: try "dmesg | grep -v SFW2"
The buffer is of a finite size, and is completely full of SFW2 stuff... therefore the above command produces no output. Michael -- San Francisco, CA -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
participants (3)
-
Darryl Gregorash -
JA -
Michael Nelson