I looked at my firewall's /var/log/messages log and it's about 8mb and climbing 10K about every 1 minute. I looked at it and noticed almost all lines relate to SuSE-FW-DROP-DEFAULT which are caused by other computers sniffing around. How can I reduce these so that those lines are not included? I imagine this would reduce my files and reduce my processor work.???? Thanks, Tom -- Tom Nielsen Neuro Logic Systems 805.389.5435 x18 www.neuro-logic.com
On Wednesday 26 November 2003 18:16, Tom Nielsen wrote:
Check your settings for logging on firewall2. -- +----------------------------------------------------------------------------+ + Bruce S. Marshall bmarsh@bmarsh.com Bellaire, MI 11/26/03 18:20 + +----------------------------------------------------------------------------+ "It is better to wear out than to rust out."
On Wednesday 26 November 2003 18:27, Tom Nielsen wrote:
Well it took me all of two minutes to go into YAST and find that the setup for the firewall has (step 4 of 4) which deals with logging. And I don't even use SuSEfirewall2. -- +----------------------------------------------------------------------------+ + Bruce S. Marshall bmarsh@bmarsh.com Bellaire, MI 11/26/03 18:46 + +----------------------------------------------------------------------------+ "If one synchronized swimmer drowns, do the rest have to drown too?"
On Wed, 2003-11-26 at 15:47, Bruce Marshall wrote:
Whoa! A little lag on this email. I didn't use yast, but just looked in the susefirewall2 config file. I agree, it took me a couple minutes but I found it. I was missing the "log" part. Duh! Thanks, Tom -- Tom Nielsen Neuro Logic Systems 805.389.5435 x18 www.neuro-logic.com
The Wednesday 2003-11-26 at 15:16 -0800, Tom Nielsen wrote:
Aside from what you have already been told, you can configure what goes to /var/log/messsages, in /etc/syslog.conf. The default is: *.*;mail.none;news.none -/var/log/messages meaning everything except mail and news logs. I changed it to: *.*;kern.none;mail.none;news.none;\ local0,local0,local2,local3,\ local4,local5,local6,local7.none; -/var/log/messages This removes, mainly, kernel messages (firewall included). Then I add: kern.* -/var/log/kernel Or comment it out, depends on you - it can be huge sometimes; the firewall entries will go to '/var/log/warn' anyways. local0,local1.* -/var/log/localmessages local2,local3.* -/var/log/localmessages local4,local5.* -/var/log/localmessages local6,local7.* -/var/log/localmessages Of course, then I have to configure logrotate to take care of new log files; but the result is a smaller '/var/log/messages' file. More info in man syslog.conf(5) -- Cheers, Carlos Robinson
I should probably integrate this with /etc/sysconfig/scripts/ SuSEfirewall2-custom, but I use the following to discard some of the uninteresting traffic prior to SuSEfirewall2 logging: #!/bin/sh -x iptables -F msrpc iptables -N msrpc iptables -A msrpc -p tcp -m tcp --dport 135 -j DROP iptables -A msrpc -p tcp -m tcp --dport 136 -j DROP iptables -A msrpc -p tcp -m tcp --dport 137 -j DROP iptables -A msrpc -p tcp -m tcp --dport 138 -j DROP iptables -A msrpc -p tcp -m tcp --dport 139 -j DROP iptables -A msrpc -p tcp -m tcp --dport 445 -j DROP iptables -A msrpc -p tcp -m tcp --dport 593 -j DROP iptables -I INPUT -i eth0 -j msrpc
On Wednesday 26 November 2003 18:16, Tom Nielsen wrote:
Check your settings for logging on firewall2. -- +----------------------------------------------------------------------------+ + Bruce S. Marshall bmarsh@bmarsh.com Bellaire, MI 11/26/03 18:20 + +----------------------------------------------------------------------------+ "It is better to wear out than to rust out."
On Wednesday 26 November 2003 18:27, Tom Nielsen wrote:
Well it took me all of two minutes to go into YAST and find that the setup for the firewall has (step 4 of 4) which deals with logging. And I don't even use SuSEfirewall2. -- +----------------------------------------------------------------------------+ + Bruce S. Marshall bmarsh@bmarsh.com Bellaire, MI 11/26/03 18:46 + +----------------------------------------------------------------------------+ "If one synchronized swimmer drowns, do the rest have to drown too?"
On Wed, 2003-11-26 at 15:47, Bruce Marshall wrote:
Whoa! A little lag on this email. I didn't use yast, but just looked in the susefirewall2 config file. I agree, it took me a couple minutes but I found it. I was missing the "log" part. Duh! Thanks, Tom -- Tom Nielsen Neuro Logic Systems 805.389.5435 x18 www.neuro-logic.com
participants (4)
-
Bruce Marshall -
Carlos E. R. -
Gary Gapinski -
Tom Nielsen