Greetings as im in the process of doing numorous things on my system, one thing has been bothering me for quiet a while, that is having fw event records in /var/log/messages personally i think that those should go into their own fw log /var/log/firewall.log so i tried to do the following: 1- in /etc/sysconfig/SuSEFirewall2 I edited the FW_LOG parameter to add SuSE_FW 2- in both /etc/syslog-ng/syslog-ng.conf and /etc/syslog-ng/syslog- ng.conf.in I edited the following to such filter f_iptables { facility(kern) and match("SuSE_FW"); }; & destination firewall { file("/var/log/firewall.log"); }; log { source(src); filter(f_iptables); destination(firewall); }; flags(final); }; 3- I edited /etc/syslog.conf to the following: kern;mail.none;news.none;authpriv;auth.none -/var/log/messages & kern.warn -/var/log/kern.log kern.notice;kern.* /var/log/firewall.log now with the current configuration and due to the third modification list above, i can get the firewall to log events under /var/log/firewall.log but i do not get the common logs anymore in /var/log/messages usch as users sessions etc my question is, how am i to modify the syslog.conf to get only the firewall events diverted to the /var/log/firewall.log log? another question is, what is your opinion and best way to get firewall to log directly to mysql? and my last question is, why has suse performed such a basic setup, what are the reasons behind that and will it be intruducing db log support in future releases? -- Regards -RP- ___________________________ If computers were made in heaven, would they be perfect? ___________________________
RutePoint wrote:
2- in both /etc/syslog-ng/syslog-ng.conf and /etc/syslog-ng/syslog- ng.conf.in I edited the following to such filter f_iptables { facility(kern) and match("SuSE_FW"); }; & destination firewall { file("/var/log/firewall.log"); }; log { source(src); filter(f_iptables); destination(firewall); }; flags(final); };
Looks good - but what does flags() do? I can't find that in the man page on my SUSE 10.0 box.
3- I edited /etc/syslog.conf to the following: kern;mail.none;news.none;authpriv;auth.none -/var/log/messages & kern.warn -/var/log/kern.log kern.notice;kern.* /var/log/firewall.log
Which syslog are you using? The above has nothing to do with syslog-ng.
another question is, what is your opinion and best way to get firewall to log directly to mysql?
To setup a mysql destination in syslog-ng.
and my last question is, why has suse performed such a basic setup, what are the reasons behind that
Because they try to accommodate everyone with one setup - to be honest, the default setup in 10.0 is perfectly fine for my systems. On one or two special systems I do have a separate configuration (on the firewall for instance), but the rest just use the default.
and will it be intruducing db log support in future releases?
It's already there - just configure syslog-ng for it. But for the direction of the distro or whether you'll have YaST support for configuring syslog-ng, you're better off asking on the opensuse list. /Per Jessen, Zürich -- http://www.spamchek.com/ - managed anti-spam and anti-virus solution. Let us analyse your spam- and virus-threat - up to 2 months for free.
Looks good - but what does flags() do? I can't find that in the man page on my SUSE 10.0 box.
dunno what it exactly does, it was mentioned on a post on novell site, http://portal.suse.com/sdb/en/2005/08/rschmid_firewall_log.html
It's already there - just configure syslog-ng for it. But for the direction of the distro or whether you'll have YaST support for configuring syslog-ng, you're better off asking on the opensuse list.
how would it be done manually? -- Regards -RP- ___________________________ If computers were made in heaven, would they be perfect? ___________________________
RutePoint wrote:
It's already there - just configure syslog-ng for it. But for the direction of the distro or whether you'll have YaST support for configuring syslog-ng, you're better off asking on the opensuse list.
how would it be done manually?
From some quick googling:
# pipe messages to /var/log/mysql.pipe to be processed by mysql source src {unix-stream("/dev/log"); pipe("/proc/kmsg"); internal();}; destination d_mysql { pipe("/var/log/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR $MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes)); }; log { source(src); destination(d_mysql); }; http://gentoo-wiki.com/HOWTO_setup_PHP-Syslog-NG The man page doesn't mention much of the above, so either it's hopelessly out of date or SUSEs syslog-ng is due for an upgrade. /Per Jessen, Zürich -- http://www.spamchek.com/ - managed anti-spam and anti-virus solution. Let us analyse your spam- and virus-threat - up to 2 months for free.
Per Jessen wrote:
[about sending syslog messages to mysql]
From some quick googling:
# pipe messages to /var/log/mysql.pipe to be processed by mysql source src {unix-stream("/dev/log"); pipe("/proc/kmsg"); internal();}; destination d_mysql { pipe("/var/log/mysql.pipe" template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR $MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes)); };
log { source(src); destination(d_mysql); };
Tip: Don't insert log records directly, but just send them to a daemon that inserts them. There you can sanitize them, to protect against SQL insertion attacks. Set up a watchdog for database errors, they can happen. Plan for data retention in your syslog database. Without that, searching can get slow for large sites. Then test the performance thoroughly. Once, we did such a set-up for a customer where we had several thousand syslog records per minute. But several thousand inserts per minute can thrash your database, if you're not careful. It is important to know the performance limits of your system and to set up watchdogs that checks for these limits. The log insertion server is bound by the database execution time, thus one doesn't need to pay much attention to code efficiency there -- but there must not be any memory leaks. (I would recommend to use a programming language with automatic memory management.) Cheers, Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2006-01-15 at 10:21 +0200, RutePoint wrote:
as im in the process of doing numorous things on my system, one thing has been bothering me for quiet a while, that is having fw event records in /var/log/messages
personally i think that those should go into their own fw log /var/log/firewall.log
Me too; I have it working.
so i tried to do the following:
1- in /etc/sysconfig/SuSEFirewall2 I edited the FW_LOG parameter to add SuSE_FW
I didn't touch that, I left at default (SuSE 9.3 here).
2- in both /etc/syslog-ng/syslog-ng.conf and /etc/syslog-ng/syslog- ng.conf.in
No, you don't edit both. You edit only syslog-ng.conf.in, then run: SuSEconfig --module syslog-ng rcsyslog reload
I edited the following to such filter f_iptables { facility(kern) and match("SuSE_FW"); }; & destination firewall { file("/var/log/firewall.log"); }; log { source(src); filter(f_iptables); destination(firewall); }; flags(final); };
I have (mind: you MUA may wrap long lines): filter f_iptables { facility(kern) and match("IN=") and match("OUT="); }; filter f_console { level(warn) and facility(kern) and not filter(f_iptables) or level(err) and not facility(authpriv); }; # edit this to your liking: filter f_messages { not facility(news, mail) and not filter(f_iptables) and not filter(f_local) and not facility(kern) and not facility(authpriv); }; #Cer filter f_warn { level(warn, err, crit) and not filter(f_iptables); }; # # Firewall (iptables) messages in one file: # destination firewall { file("/var/log/firewall"); }; log { source(src); filter(f_iptables); destination(firewall); }; # # All messages except iptables and the facilities news and mail: # destination messages { file("/var/log/messages"); }; log { source(src); filter(f_messages); destination(messages); }; # # Warnings (except iptables) in one file: # destination warn { file("/var/log/warn" fsync(yes)); }; log { source(src); filter(f_warn); destination(warn); };
3- I edited /etc/syslog.conf to the following:
No, you are usin syslog-ng, that file is not used.
another question is, what is your opinion and best way to get firewall to log directly to mysql?
Slower, probably, for a server. - -- Cheers, Carlos. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDykkHtTMYHG2NR9URAjjxAJ9idO1TUJb1U1UWCUG1ay53YXsNdQCfRp+u KrFSKe8fsV/Wj/NsEvzj/SE= =vFrJ -----END PGP SIGNATURE-----
participants (4)
-
Carlos E. R.
-
Joachim Schrod
-
Per Jessen
-
RutePoint