Re: Problem with logging firewall packets
On Fri, 25 May 2001, Paul Dossett wrote: Okay, I'm *really* embarrassed about this, but I can't get syslog to log firewall packets to a logfile - it insists on sending them to my Debian box's console. I've checked the /etc/syslog.conf file and there's no mention of a console there at all, so what am I doing wrong? The crappy ipchains test script I've rigged is working, a grc.com scan is being blocked in all the right ways, but I just can't get the logs on magnetic media... what really simple, obvious, even-a-redheaded-stepchild-could-work-it-out step am I missing? Is klogd running? You need that, for syslog to be able to log kernel messages such as ipchains logs. I have the very same problem with iptables, but not with ipchains. On the simple ipchains-based firewall I set up for my institute, a debian potato box with a handful of packages recompiled from sid, I use the spf (stateful packet filter) package to handle firewalling rules, and syslog-ng to handle the logging, and I could easily direct ipchains log messages to specific log files. I was never able to do the same with iptables, however. Logs from iptables are indeed recorded in the logs, but they also *always* turn up on whatever console I am using. The kernel log daemon is running, everything appears to be working, where is the catch? Bye Giacomo _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Problem with logging firewall packets
Hello, # # LOG level option. NOTE klogd reflects these values for console broadcast # Simply start klogd with -c 4 to ONLY display errors and above on the console. LOG_LEVEL=notice #define KERN_EMERG 0 /* system is unusable */ #define KERN_ALERT 1 /* action must be taken immediately */ #define KERN_CRIT 2 /* critical conditions */ #define KERN_ERR3 /* error conditions */ #define KERN_WARNING4 /* warning conditions */ #define KERN_NOTICE 5 /* normal but significant condition */ #define KERN_INFO 6 /* informational*/ #define KERN_DEBUG 7 /* debug-level messages */ # -Original Message- From: Giacomo Mulas [mailto:[EMAIL PROTECTED]]On Behalf Of Giacomo Mulas Sent: Friday, May 25, 2001 3:43 AM To: [EMAIL PROTECTED] Subject: Re: Problem with logging firewall packets On Fri, 25 May 2001, Paul Dossett wrote: Okay, I'm *really* embarrassed about this, but I can't get syslog to log firewall packets to a logfile - it insists on sending them to my Debian box's console. I've checked the /etc/syslog.conf file and there's no mention of a console there at all, so what am I doing wrong? The crappy ipchains test script I've rigged is working, a grc.com scan is being blocked in all the right ways, but I just can't get the logs on magnetic media... what really simple, obvious, even-a-redheaded-stepchild-could-work-it-out step am I missing? Is klogd running? You need that, for syslog to be able to log kernel messages such as ipchains logs. I have the very same problem with iptables, but not with ipchains. On the simple ipchains-based firewall I set up for my institute, a debian potato box with a handful of packages recompiled from sid, I use the spf (stateful packet filter) package to handle firewalling rules, and syslog-ng to handle the logging, and I could easily direct ipchains log messages to specific log files. I was never able to do the same with iptables, however. Logs from iptables are indeed recorded in the logs, but they also *always* turn up on whatever console I am using. The kernel log daemon is running, everything appears to be working, where is the catch? Bye Giacomo _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problem with logging firewall packets
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday 25 May 2001 8:42 am, Giacomo Mulas wrote: iptables, however. Logs from iptables are indeed recorded in the logs, but they also *always* turn up on whatever console I am using. The kernel log Check /etc/syslog.conf for anything directing messages to /dev/console or /dev/tty0 and comment out the lines if you don't want them. Some systems (potato? I can't remember what it did, I'm using woody) direct all kernel messages to the console as that usually means a small number of important messages only. Firewall logging creates an exception to that rule. You can probably put a filter in syslog.conf that will just exclude firewall logs from the console by some characteristic like their (presumably) low priority, but I don't know how. Commenting out the lines is a workaround. - -- Chris Boyle - Winchester College - http://archives.wincoll.ac.uk/ For my PGP key visit: http://archives.wincoll.ac.uk/finger.php?q=chrisb -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7DhD1D834tscfhTwRAuN5AJ9f9cqcLI10Ge5QTw95V5OWIT7t1gCfXNxr wFqLpXoMzpTTIcSc+9iHU44= =t8Fk -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problem with logging firewall packets
On Fri, 25 May 2001, Paul Dossett wrote: Okay, I'm *really* embarrassed about this, but I can't get syslog to log firewall packets to a logfile - it insists on sending them to my Debian box's console. I've checked the /etc/syslog.conf file and there's no mention of a console there at all, so what am I doing wrong? The crappy ipchains test script I've rigged is working, a grc.com scan is being blocked in all the right ways, but I just can't get the logs on magnetic media... what really simple, obvious, even-a-redheaded-stepchild-could-work-it-out step am I missing? Is klogd running? You need that, for syslog to be able to log kernel messages such as ipchains logs. I have the very same problem with iptables, but not with ipchains. On the simple ipchains-based firewall I set up for my institute, a debian potato box with a handful of packages recompiled from sid, I use the spf (stateful packet filter) package to handle firewalling rules, and syslog-ng to handle the logging, and I could easily direct ipchains log messages to specific log files. I was never able to do the same with iptables, however. Logs from iptables are indeed recorded in the logs, but they also *always* turn up on whatever console I am using. The kernel log daemon is running, everything appears to be working, where is the catch? Bye Giacomo _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _
RE: Problem with logging firewall packets
Hello, # # LOG level option. NOTE klogd reflects these values for console broadcast # Simply start klogd with -c 4 to ONLY display errors and above on the console. LOG_LEVEL=notice #define KERN_EMERG 0 /* system is unusable */ #define KERN_ALERT 1 /* action must be taken immediately */ #define KERN_CRIT 2 /* critical conditions */ #define KERN_ERR3 /* error conditions */ #define KERN_WARNING4 /* warning conditions */ #define KERN_NOTICE 5 /* normal but significant condition */ #define KERN_INFO 6 /* informational*/ #define KERN_DEBUG 7 /* debug-level messages */ # -Original Message- From: Giacomo Mulas [mailto:[EMAIL PROTECTED] Behalf Of Giacomo Mulas Sent: Friday, May 25, 2001 3:43 AM To: debian-security@lists.debian.org Subject: Re: Problem with logging firewall packets On Fri, 25 May 2001, Paul Dossett wrote: Okay, I'm *really* embarrassed about this, but I can't get syslog to log firewall packets to a logfile - it insists on sending them to my Debian box's console. I've checked the /etc/syslog.conf file and there's no mention of a console there at all, so what am I doing wrong? The crappy ipchains test script I've rigged is working, a grc.com scan is being blocked in all the right ways, but I just can't get the logs on magnetic media... what really simple, obvious, even-a-redheaded-stepchild-could-work-it-out step am I missing? Is klogd running? You need that, for syslog to be able to log kernel messages such as ipchains logs. I have the very same problem with iptables, but not with ipchains. On the simple ipchains-based firewall I set up for my institute, a debian potato box with a handful of packages recompiled from sid, I use the spf (stateful packet filter) package to handle firewalling rules, and syslog-ng to handle the logging, and I could easily direct ipchains log messages to specific log files. I was never able to do the same with iptables, however. Logs from iptables are indeed recorded in the logs, but they also *always* turn up on whatever console I am using. The kernel log daemon is running, everything appears to be working, where is the catch? Bye Giacomo _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problem with logging firewall packets
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday 25 May 2001 8:42 am, Giacomo Mulas wrote: iptables, however. Logs from iptables are indeed recorded in the logs, but they also *always* turn up on whatever console I am using. The kernel log Check /etc/syslog.conf for anything directing messages to /dev/console or /dev/tty0 and comment out the lines if you don't want them. Some systems (potato? I can't remember what it did, I'm using woody) direct all kernel messages to the console as that usually means a small number of important messages only. Firewall logging creates an exception to that rule. You can probably put a filter in syslog.conf that will just exclude firewall logs from the console by some characteristic like their (presumably) low priority, but I don't know how. Commenting out the lines is a workaround. - -- Chris Boyle - Winchester College - http://archives.wincoll.ac.uk/ For my PGP key visit: http://archives.wincoll.ac.uk/finger.php?q=chrisb -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7DhD1D834tscfhTwRAuN5AJ9f9cqcLI10Ge5QTw95V5OWIT7t1gCfXNxr wFqLpXoMzpTTIcSc+9iHU44= =t8Fk -END PGP SIGNATURE-
RE: Problem with logging firewall packets
Hello, Make sure you have klogd and syslogd running. Ed -Original Message- From: Paul Dossett [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 24, 2001 12:00 PM To: [EMAIL PROTECTED] Subject: Problem with logging firewall packets Hi guys/gals, Okay, I'm *really* embarrassed about this, but I can't get syslog to log firewall packets to a logfile - it insists on sending them to my Debian box's console. I've checked the /etc/syslog.conf file and there's no mention of a console there at all, so what am I doing wrong? The crappy ipchains test script I've rigged is working, a grc.com scan is being blocked in all the right ways, but I just can't get the logs on magnetic media... what really simple, obvious, even-a-redheaded-stepchild-could-work-it-out step am I missing? Thanks... Paul D -crap- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problem with logging firewall packets
I'm running Progeny, and had to go to Debian's testing distro to get klogd, but that doesn't seem to do anything... still investigating. Both syslogd and klogd are running, according to top.. :) Any more ideas? I'm really stumped. This worked fine under Red Hat. ppp - Original Message - From: Ed Street [EMAIL PROTECTED] To: Paul Dossett [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, May 25, 2001 2:17 AM Subject: RE: Problem with logging firewall packets Hello, Make sure you have klogd and syslogd running. Ed -Original Message- From: Paul Dossett [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 24, 2001 12:00 PM To: [EMAIL PROTECTED] Subject: Problem with logging firewall packets Hi guys/gals, Okay, I'm *really* embarrassed about this, but I can't get syslog to log firewall packets to a logfile - it insists on sending them to my Debian box's console. I've checked the /etc/syslog.conf file and there's no mention of a console there at all, so what am I doing wrong? The crappy ipchains test script I've rigged is working, a grc.com scan is being blocked in all the right ways, but I just can't get the logs on magnetic media... what really simple, obvious, even-a-redheaded-stepchild-could-work-it-out step am I missing? Thanks... Paul D -crap- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problem with logging firewall packets
- Original Message - From: Ronny Adsetts [EMAIL PROTECTED] To: Paul Dossett [EMAIL PROTECTED] Sent: Friday, May 25, 2001 2:27 AM Subject: RE: Problem with logging firewall packets Okay, I'm *really* embarrassed about this, but I can't get syslog to log firewall packets to a logfile - it insists on sending them to my Debian box's console. I've checked the /etc/syslog.conf file and there's no mention of a console there at all, so what am I doing wrong? The crappy ipchains test script I've rigged is working, a grc.com scan is being blocked in all the right ways, but I just can't get the logs on magnetic media... what really simple, obvious, even-a-redheaded-stepchild-could-work-it-out step am I missing? Probably klogd is missing. try: # apt-get update apt-get install klogd It was installed, but the kicker was that something seemed to be wrong with the init script, the syslogd and klogd daemons weren't restarting when I executed their scripts, so the changes I made in the syslog.conf file were being ignored. Manually killing the processes and restarting them worked, and logging is back... thanks all! Hopefully I can return the favour for some *other* foolish newbie... ;) ppp -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problem with logging firewall packets
Havent seen this before but a work around could be just have syslog-ng read from /proc/kmsg does the same thing as a klogd would do. On Fri, 25 May 2001, Paul Dossett wrote: I'm running Progeny, and had to go to Debian's testing distro to get klogd, but that doesn't seem to do anything... still investigating. Both syslogd and klogd are running, according to top.. :) Any more ideas? I'm really stumped. This worked fine under Red Hat. ppp - Original Message - From: Ed Street [EMAIL PROTECTED] To: Paul Dossett [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, May 25, 2001 2:17 AM Subject: RE: Problem with logging firewall packets Hello, Make sure you have klogd and syslogd running. Ed -Original Message- From: Paul Dossett [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 24, 2001 12:00 PM To: [EMAIL PROTECTED] Subject: Problem with logging firewall packets Hi guys/gals, Okay, I'm *really* embarrassed about this, but I can't get syslog to log firewall packets to a logfile - it insists on sending them to my Debian box's console. I've checked the /etc/syslog.conf file and there's no mention of a console there at all, so what am I doing wrong? The crappy ipchains test script I've rigged is working, a grc.com scan is being blocked in all the right ways, but I just can't get the logs on magnetic media... what really simple, obvious, even-a-redheaded-stepchild-could-work-it-out step am I missing? Thanks... Paul D -crap- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Problem with logging firewall packets
Hello, Make sure you have klogd and syslogd running. Ed -Original Message- From: Paul Dossett [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 12:00 PM To: debian-security@lists.debian.org Subject: Problem with logging firewall packets Hi guys/gals, Okay, I'm *really* embarrassed about this, but I can't get syslog to log firewall packets to a logfile - it insists on sending them to my Debian box's console. I've checked the /etc/syslog.conf file and there's no mention of a console there at all, so what am I doing wrong? The crappy ipchains test script I've rigged is working, a grc.com scan is being blocked in all the right ways, but I just can't get the logs on magnetic media... what really simple, obvious, even-a-redheaded-stepchild-could-work-it-out step am I missing? Thanks... Paul D -crap- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problem with logging firewall packets
I'm running Progeny, and had to go to Debian's testing distro to get klogd, but that doesn't seem to do anything... still investigating. Both syslogd and klogd are running, according to top.. :) Any more ideas? I'm really stumped. This worked fine under Red Hat. ppp - Original Message - From: Ed Street [EMAIL PROTECTED] To: Paul Dossett [EMAIL PROTECTED]; debian-security@lists.debian.org Sent: Friday, May 25, 2001 2:17 AM Subject: RE: Problem with logging firewall packets Hello, Make sure you have klogd and syslogd running. Ed -Original Message- From: Paul Dossett [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 12:00 PM To: debian-security@lists.debian.org Subject: Problem with logging firewall packets Hi guys/gals, Okay, I'm *really* embarrassed about this, but I can't get syslog to log firewall packets to a logfile - it insists on sending them to my Debian box's console. I've checked the /etc/syslog.conf file and there's no mention of a console there at all, so what am I doing wrong? The crappy ipchains test script I've rigged is working, a grc.com scan is being blocked in all the right ways, but I just can't get the logs on magnetic media... what really simple, obvious, even-a-redheaded-stepchild-could-work-it-out step am I missing? Thanks... Paul D -crap- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Problem with logging firewall packets
Hello, OK what's being logged to console? Under iptables it WILL log warnings + to console unless you modify /etc/init.d/klogd. this is a clip from my rc.firewall.iptables btw # # LOG level option. NOTE klogd reflects these values for console broadcast # Simply start klogd with -c 4 to ONLY display errors and above on the console. LOG_LEVEL=notice #define KERN_EMERG 0 /* system is unusable */ #define KERN_ALERT 1 /* action must be taken immediately */ #define KERN_CRIT 2 /* critical conditions */ #define KERN_ERR3 /* error conditions */ #define KERN_WARNING4 /* warning conditions */ #define KERN_NOTICE 5 /* normal but significant condition */ #define KERN_INFO 6 /* informational*/ #define KERN_DEBUG 7 /* debug-level messages */ # Ed -Original Message- From: Paul Dossett [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 12:24 PM To: Ed Street; debian-security@lists.debian.org Subject: Re: Problem with logging firewall packets I'm running Progeny, and had to go to Debian's testing distro to get klogd, but that doesn't seem to do anything... still investigating. Both syslogd and klogd are running, according to top.. :) Any more ideas? I'm really stumped. This worked fine under Red Hat. ppp - Original Message - From: Ed Street [EMAIL PROTECTED] To: Paul Dossett [EMAIL PROTECTED]; debian-security@lists.debian.org Sent: Friday, May 25, 2001 2:17 AM Subject: RE: Problem with logging firewall packets Hello, Make sure you have klogd and syslogd running. Ed -Original Message- From: Paul Dossett [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 12:00 PM To: debian-security@lists.debian.org Subject: Problem with logging firewall packets Hi guys/gals, Okay, I'm *really* embarrassed about this, but I can't get syslog to log firewall packets to a logfile - it insists on sending them to my Debian box's console. I've checked the /etc/syslog.conf file and there's no mention of a console there at all, so what am I doing wrong? The crappy ipchains test script I've rigged is working, a grc.com scan is being blocked in all the right ways, but I just can't get the logs on magnetic media... what really simple, obvious, even-a-redheaded-stepchild-could-work-it-out step am I missing? Thanks... Paul D -crap- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problem with logging firewall packets
- Original Message - From: Ronny Adsetts [EMAIL PROTECTED] To: Paul Dossett [EMAIL PROTECTED] Sent: Friday, May 25, 2001 2:27 AM Subject: RE: Problem with logging firewall packets Okay, I'm *really* embarrassed about this, but I can't get syslog to log firewall packets to a logfile - it insists on sending them to my Debian box's console. I've checked the /etc/syslog.conf file and there's no mention of a console there at all, so what am I doing wrong? The crappy ipchains test script I've rigged is working, a grc.com scan is being blocked in all the right ways, but I just can't get the logs on magnetic media... what really simple, obvious, even-a-redheaded-stepchild-could-work-it-out step am I missing? Probably klogd is missing. try: # apt-get update apt-get install klogd It was installed, but the kicker was that something seemed to be wrong with the init script, the syslogd and klogd daemons weren't restarting when I executed their scripts, so the changes I made in the syslog.conf file were being ignored. Manually killing the processes and restarting them worked, and logging is back... thanks all! Hopefully I can return the favour for some *other* foolish newbie... ;) ppp
Re: Problem with logging firewall packets
Havent seen this before but a work around could be just have syslog-ng read from /proc/kmsg does the same thing as a klogd would do. On Fri, 25 May 2001, Paul Dossett wrote: I'm running Progeny, and had to go to Debian's testing distro to get klogd, but that doesn't seem to do anything... still investigating. Both syslogd and klogd are running, according to top.. :) Any more ideas? I'm really stumped. This worked fine under Red Hat. ppp - Original Message - From: Ed Street [EMAIL PROTECTED] To: Paul Dossett [EMAIL PROTECTED]; debian-security@lists.debian.org Sent: Friday, May 25, 2001 2:17 AM Subject: RE: Problem with logging firewall packets Hello, Make sure you have klogd and syslogd running. Ed -Original Message- From: Paul Dossett [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2001 12:00 PM To: debian-security@lists.debian.org Subject: Problem with logging firewall packets Hi guys/gals, Okay, I'm *really* embarrassed about this, but I can't get syslog to log firewall packets to a logfile - it insists on sending them to my Debian box's console. I've checked the /etc/syslog.conf file and there's no mention of a console there at all, so what am I doing wrong? The crappy ipchains test script I've rigged is working, a grc.com scan is being blocked in all the right ways, but I just can't get the logs on magnetic media... what really simple, obvious, even-a-redheaded-stepchild-could-work-it-out step am I missing? Thanks... Paul D -crap- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
