On Mon, 2010-11-01 at 12:04 +0000, davidMbrooke wrote: > On Mon, 2010-11-01 at 12:36 +0100, KP Kirchdoerfer wrote: > > Hi; > > > > I looked into shorewall logging and saw that ulogd is completly broken... > > So for the near future we should go with syslog-ng and may decide later if > > ulogd is worth the effort. > > > > Am Montag, 1. November 2010, 12:24:15 schrieb davidMbrooke: > > > Hi, > > > > > > We need to make another decision about Shorewall / Shorewall6 logging of > > > "DROP" and "REJECT" messages: > > > - Should both sets of messages go to /var/log/shorewall.log ? > > > - Should IPv4 messages go to /var/log/shorewall.log and IPv6 messages > > > to /var/log/shorewall6.log ? > > > > > I currently favour the second option, for consistency with the -init.log > > > files and in case we want to process the logfiles in some way. > > > Thoughts? > > > > of course they should be seperated. > > > > > > > > Both Shorewall and Shorewall6 specify LOGFORMAT="Shorewall:%s:%s:" in > > > e.g. /etc/shorewall/shorewall.conf so simply matching on "Shorewall" is > > > not enough separate out the logs, and it is not possible (or at least > > > not easy) to change Shorewall6 to specify LOGFORMAT="Shorewall6:%s:%s:" > > > because that makes the log string too long... I tried that and got an > > > error. > > > > > > I do have a working syslog-ng configuration that checks the format of > > > the SRC= address and sends IPv4 logs to /var/log/shorewall.log and IPv6 > > > logs to /var/log/shorewall.log. I think if we do that it stills gives > > > the option to use ulogd instead (with ULOG in the Shorewall(6) config > > > files). Seems like a good compromise to me. > > > > Yes; > > > > as soon as I have your syslog-ng.conf to test I will change shorewall > > patches > > to use INFO instead of "ULOG". > > > > kp > > > > Thanks kp. Revised syslog-ng.conf file now in CVS at > source/etc/syslog-ng.conf > > Right now the shorwall.lrp help text declares that ulogd.lrp is > "Required". Perhaps amend that too? > > dMb
My final annoyance is that I am still getting iptables log messages on /dev/console, which is quite a problem when editing files on the console (rather than over an SSH connection). This can be fixed with an update to the "kernel.printk" setting in /etc/sysctl.conf as per http://www.shorewall.net/FAQ.htm#faq16 This setting affects all kernel messages, not just iptables, though higher priority messages (e.g. crit) will still get through. I propose to change the default setting in /etc/sysctl.conf if nobody has a serious objection (currently: 7 4 1 7, proposed: 4 4 1 7). Users can always adjust it themselves (lrcfg option 2.11). dMb ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel
