Mailinglist Archive: opensuse-security (601 mails)

< Previous Next >
Re: [suse-security] /var/log/{messages,firewall,warn}
  • From: Roman Drahtmueller <draht@xxxxxxx>
  • Date: Wed, 2 Aug 2000 03:29:07 +0200 (MEST)
  • Message-id: <Pine.LNX.4.21.0008020309530.1292-100000@xxxxxxxxxxxx>
On Tue, 1 Aug 2000, Steffen Dettmer wrote:
> * Jason P. Stanford wrote on Tue, Aug 01, 2000 at 11:35 -0700:
> > especially due to web traffic to the machine (a lot of
> > ALLOW's). Can I change a config to prevent firewall from making
> > duplicate entries to /var/log/messages?
>
> That's not possible (at least with ipchains). You should check
> your configuration and enviroment, it's bad if you get lot's of
> prohibited connection attempts. You have to reduce it, otherwise
> your logging makes no sense, since you will never be able to read
> the logs!
>
> If you have "expected" denies, insert a rule that reject/denies
> those packets without logging.

The problem is that these logs "from" ipchains actually come from the
kernel; ipchains is only used to feed the rules into the kernel. Messages
from the kernel are being read by klogd from /proc/kmsg and then forwarded
to syslogd. Here's your chance to get hold of the logs: change the
/etc/syslog.conf to reflect the facility kernel _only_ in the firewall log
(which is actually the kernel log). This can be done by changing the line

*.*;mail.none;news.none -/var/log/messages

to

*.*;mail.none;news.none;kern.none -/var/log/messages

I bet the last line reads
kern.* /var/log/firewall

:-)

> > Also, scanlogd does not seem to log any scannings except for those from
> > localhost (127.0.0.1).
>
> Here it works...
>

Same here.
[...]

Regards,
Roman.
--
- -
| Roman Drahtm├╝ller <draht@xxxxxxx> // "Caution: Cape does |
SuSE GmbH - Security Phone: // not enable user to fly."
| N├╝rnberg, Germany +49-911-740530 // (Batman Costume warning label) |
- -



< Previous Next >
Follow Ups
References