[opensuse] how to see ligs without susefirewall ones?
Hello, I have always lot of Susefirewall message in kernel logs. This makes understanding eventual problems difficult. So I need to know how to see logs without them, either sending firewall logs in an other file or using some journalctl option to have then not displayed thanks jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-12-05 11:25, jdd wrote:
Hello,
I have always lot of Susefirewall message in kernel logs. This makes understanding eventual problems difficult.
So I need to know how to see logs without them, either sending firewall logs in an other file or using some journalctl option to have then not displayed
With rsyslog or other syslog implementation, the firewall logs go to a different file, or can be easily made to. With journalctl you have to use units or other controls to limit the output. It is suposedly a database. Best would be to import to libreoffice and apply filters with the mouse. Dunno if possible. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Le 05/12/2014 13:27, Carlos E. R. a écrit :
On 2014-12-05 11:25, jdd wrote:
Hello,
I have always lot of Susefirewall message in kernel logs. This makes understanding eventual problems difficult.
So I need to know how to see logs without them, either sending firewall logs in an other file or using some journalctl option to have then not displayed
With rsyslog or other syslog implementation, the firewall logs go to a different file, or can be easily made to.
not so easily, the problem always existed :-(
With journalctl you have to use units or other controls to limit the output. It is suposedly a database. Best would be to import to libreoffice and apply filters with the mouse. Dunno if possible.
yes, but the man page is a bit hard for me. That said, I like the abilities of journalctl :-) thanks jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-12-05 15:20, jdd wrote:
Le 05/12/2014 13:27, Carlos E. R. a écrit :
On 2014-12-05 11:25, jdd wrote:
With rsyslog or other syslog implementation, the firewall logs go to a different file, or can be easily made to.
not so easily, the problem always existed :-(
Not for me. All the firewall entries are on a separate file. :-) -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 12/05/2014 09:41 AM, Carlos E. R. wrote:
On 2014-12-05 15:20, jdd wrote:
Le 05/12/2014 13:27, Carlos E. R. a écrit :
On 2014-12-05 11:25, jdd wrote:
With rsyslog or other syslog implementation, the firewall logs go to a different file, or can be easily made to.
not so easily, the problem always existed :-(
Not for me. All the firewall entries are on a separate file. :-)
+1 -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd wrote:
Le 05/12/2014 13:27, Carlos E. R. a écrit :
On 2014-12-05 11:25, jdd wrote:
Hello,
I have always lot of Susefirewall message in kernel logs. This makes understanding eventual problems difficult.
So I need to know how to see logs without them, either sending firewall logs in an other file or using some journalctl option to have then not displayed
With rsyslog or other syslog implementation, the firewall logs go to a different file, or can be easily made to.
not so easily, the problem always existed :-(
Really, it is very easy. I have never had the problem with my own iptables firewall. for syslog-ng: filter f_iptables { facility(kern) and message("IN=") and message("OUT="); }; destination firewall { file("/var/log/firewall" suppress(30)); }; log { source(src); source(chroots); filter(f_iptables); destination(firewall); }; filter f_messages { not facility(news, mail) and not filter(f_iptables); }; (I think these are included in the standard config). -- Per Jessen, Zürich (3.8°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 05/12/2014 17:45, Per Jessen a écrit :
Really, it is very easy. I have never had the problem with my own iptables firewall.
sorry, but if your solution is easy, what is a difficult one? I don't understand it at all. What I could do: journalctl | grep -v SFW2 | grep -v IPv4 | grep -v ll\ header | less but I guess there is something simpler jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-12-05 20:47, jdd wrote:
Le 05/12/2014 17:45, Per Jessen a écrit :
Really, it is very easy. I have never had the problem with my own iptables firewall.
sorry, but if your solution is easy, what is a difficult one? I don't understand it at all.
What I could do:
journalctl | grep -v SFW2 | grep -v IPv4 | grep -v ll\ header | less
But that is not syslog. journalctl doesn't have negative arguments, and that is what you need. To filter out items. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Le 05/12/2014 23:14, Carlos E. R. a écrit :
journalctl doesn't have negative arguments, and that is what you need. To filter out items.
I don't want to lose advantages of journalctl (specially filtering previous boots). I have foune one way to do what I need, may be there are others jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-12-06 10:28, jdd wrote:
Le 05/12/2014 23:14, Carlos E. R. a écrit :
journalctl doesn't have negative arguments, and that is what you need. To filter out items.
I don't want to lose advantages of journalctl (specially filtering previous boots). I have foune one way to do what I need, may be there are others
Previous boot logs are also saved with syslog, since systemd times. The difficulty is knowing where exactly each one starts, but I have my own method to mark them. Booting messages are going to the /var/log/messages, with the rest, so they are stored till you delete them. The /var/log/boot.msg file, which rewritten on each boot, is created now by plymouth, so I don't have it. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Le 06/12/2014 14:31, Carlos E. R. a écrit :
Previous boot logs are also saved with syslog, since systemd times. The difficulty is knowing where exactly each one starts, but I have my own method to mark them.
yes , I know :-) jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd wrote:
Le 05/12/2014 17:45, Per Jessen a écrit :
Really, it is very easy. I have never had the problem with my own iptables firewall.
sorry, but if your solution is easy, what is a difficult one? I don't understand it at all.
It's not really my solution, it's simply the default syslog-ng config in openSUSE :
filter f_iptables { facility(kern) and message("IN=") and message("OUT="); };
facility-kernel and message contains "IN=" and message contains "OUT=".
destination firewall { file("/var/log/firewall" suppress(30)); };
A destination definition.
log { source(src); source(chroots); filter(f_iptables); destination(firewall); };
log messages that match filter to destination.
filter f_messages { not facility(news, mail) and not filter(f_iptables); };
for the general /var/log/messages logfile, do not include the firewall m,essages. -- Per Jessen, Zürich (4.2°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 07/12/2014 15:17, Per Jessen a écrit :
It's not really my solution, it's simply the default syslog-ng config in openSUSE :
default? of course I don't have it anymore :-(, but the "problem" is old 2006: http://lists.opensuse.org/opensuse/2006-07/msg01319.html 2011: https://tr.opensuse.org/SDB:SuSEfirewall2_Overflows_the_File_/var/log/messag... anyway, it's nearly the same as the solution I got, and the max size of journald logs is much higher than the syslog one thanks jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd wrote:
Le 07/12/2014 15:17, Per Jessen a écrit :
It's not really my solution, it's simply the default syslog-ng config in openSUSE :
default?
of course I don't have it anymore :-(, but the "problem" is old
2006: http://lists.opensuse.org/opensuse/2006-07/msg01319.html
Sorry, that is a completely different problem. It is not about keeping firewall messages out of the log, but out of the kernel buffer. The only solution to that (to my knowledge) is to use the ulog iptables module and have it log to syslog. I do find the ulog config to be quite difficult.
2011: https://tr.opensuse.org/SDB:SuSEfirewall2_Overflows_the_File_/var/log/messag...
Right, that problem is solved with the syslog-ng config I posted earlier. -- Per Jessen, Zürich (4.8°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Anton Aylward -
Carlos E. R. -
jdd -
Per Jessen