-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2006-01-15 at 10:21 +0200, RutePoint wrote:
as im in the process of doing numorous things on my system, one thing has been bothering me for quiet a while, that is having fw event records in /var/log/messages
personally i think that those should go into their own fw log /var/log/firewall.log
Me too; I have it working.
so i tried to do the following:
1- in /etc/sysconfig/SuSEFirewall2 I edited the FW_LOG parameter to add SuSE_FW
I didn't touch that, I left at default (SuSE 9.3 here).
2- in both /etc/syslog-ng/syslog-ng.conf and /etc/syslog-ng/syslog- ng.conf.in
No, you don't edit both. You edit only syslog-ng.conf.in, then run: SuSEconfig --module syslog-ng rcsyslog reload
I edited the following to such filter f_iptables { facility(kern) and match("SuSE_FW"); }; & destination firewall { file("/var/log/firewall.log"); }; log { source(src); filter(f_iptables); destination(firewall); }; flags(final); };
I have (mind: you MUA may wrap long lines): filter f_iptables { facility(kern) and match("IN=") and match("OUT="); }; filter f_console { level(warn) and facility(kern) and not filter(f_iptables) or level(err) and not facility(authpriv); }; # edit this to your liking: filter f_messages { not facility(news, mail) and not filter(f_iptables) and not filter(f_local) and not facility(kern) and not facility(authpriv); }; #Cer filter f_warn { level(warn, err, crit) and not filter(f_iptables); }; # # Firewall (iptables) messages in one file: # destination firewall { file("/var/log/firewall"); }; log { source(src); filter(f_iptables); destination(firewall); }; # # All messages except iptables and the facilities news and mail: # destination messages { file("/var/log/messages"); }; log { source(src); filter(f_messages); destination(messages); }; # # Warnings (except iptables) in one file: # destination warn { file("/var/log/warn" fsync(yes)); }; log { source(src); filter(f_warn); destination(warn); };
3- I edited /etc/syslog.conf to the following:
No, you are usin syslog-ng, that file is not used.
another question is, what is your opinion and best way to get firewall to log directly to mysql?
Slower, probably, for a server. - -- Cheers, Carlos. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDykkHtTMYHG2NR9URAjjxAJ9idO1TUJb1U1UWCUG1ay53YXsNdQCfRp+u KrFSKe8fsV/Wj/NsEvzj/SE= =vFrJ -----END PGP SIGNATURE-----