I wonder if it wouldn't be better to rename /var/log/firewall into
/var/log/arno-iptables-firewall (or something else less general). Not
That's possible, and it did occur to me. An additional enhancement
might be to put a common string ("arno:"?) at the front of the 'prefix'
in the iptables LOG statements, and alter the rsyslogd rule to then
match this, so that user-generated or local custom iptables LOG rules
don't get swallowed by the pattern-match.
The attached alternative rsyslogd config fragment should also hopefully
cause a bit less CPU-usage in rsyslogd, as the first thing it does is to
eliminate all non-kernel messages, (as opposed to the earlier version,
which carries out a regex match on all messages received by syslog).
If you add this, then I'd guess an extra comment where the chosen kernel
log level is set i.e.
/etc/arno-iptables-firewall/firewall.conf:LOGLEVEL="info"
to the affect that changes to this should be accompanied by a change to
/etc/rsyslog.d/arno-iptables-firewall.conf
Tim.
--- /dev/null 2008-10-18 15:24:00.515817246 +0100
+++ /etc/rsyslog.d/arno-iptables-firewall.conf 2008-10-23 16:52:26.000000000
+0100
@@ -0,0 +1,11 @@
+# Log firewall messages to /var/log/firewall (asynchronously), and then drop
+# them so that they aren't logged again elsewhere.
+
+if $syslogfacility-text == 'kern' \
+and $syslogpriority-text == 'info' \
+and $msg contains 'IN=' \
+and $msg contains 'OUT=' \
+and $msg contains 'SRC=' \
+and $msg contains 'DST=' \
+and $msg contains 'LEN=' then -/var/log/firewall
+& ~
