Iptables logging, separating and sorting logs (syslog-ng)
Every user using logs met requirement to separate logs from various daemons to individual files and log iptables actions. In this topic we will set up syslog-ng a system loger to do it. Log files will be separated by services (DNS daemon, DHCP daemon, …), iptables logged actions and by months and years.
How to log iptables?
In chain where for example logging of dropped packets is desired we add logging rule to the end of chain (valid for iptables with implicit policy DROP on INPUT chain). If you don’t want make your router/server crazy, set limit for logged packets.
# iptables -A INPUT -i eth0 -m limit --limit 5/hour --limit-burst 5 -j LOG --log-prefix "iptables: INPUT DROPPED " -A INPUT ... add at the end of INPUT chain -i eth0 ... come in through eth0 (for example "internet" interface) -m limit --limit 5/hour --limit-burst 5 ... apply this rule 5 times by hour for first 5 packets -j LOG ... non terminating targer for writing log --log-prefix "text" ... log prefix (IMPORTANT FOR LOG SORTING, see below)
In the future is important to be careful with rules adding. Logging rule for logging dropped packets in INPUT chain must be last. Text of option –log-prefix is very important. According to this text the syslog-ng will separate logs to individual file.
Note: If you need try iptables logging, you don’t need to wait for dropped packets. You may for testing purposes set for example ICMP logging. After that simply ping the router.
# iptables -I INPUT 1 -p icmp -j LOG --log-prefix "iptables: ICMP arrived " -I INPUT 1 ... adding at the end of INPUT chain -p icmp ... protocol ICMP -j LOG ... non terminating target for writing log --log-prefix "iptables: ICMP arrived " ... log prefix
After you check that logging is operational as you wish, don’t remember delete this rule or limit it with module limit! Logs are stored with adjusted prefix at standard system log file in /var/log/messages .
It is very hard to search something useful in this file so we set up system loger to separate logs to individual files.
Separating and sorting logs
As was mentioned, we use syslog-ng system loger in version 3. We will separate logs from DHCP, DNS, FTP, SSH daemons, logs from cron, iptables, syslog itself, mails, logs about switching users (su) and others. We will sort logs by months and years.
Install syslog-ng and make it auto-starting after system boots (Gentoo GNU/Linux syntax).
# emerge syslog-ng # rc-update add syslog-ng default
Syslog-ng configuration file is placed at path /etc/syslog-ng/syslog-ng.conf and consists from few parts.
For complete configuration options reference see configuration manual.
First general options:
@version: 3.0
options {
chain_hostnames(off);
log_msg_size(2048);
log_fifo_size(2048);
use_dns(no); #resolve names
use_fqdn (no); #use fully qualified domain name
flush_lines(0);
stats_freq(0); #deny messages statistics
create_dirs(yes); #permit directory creating
owner(root); #owner of files
group(adm); #group of files
perm(0640); #permissions for files
dir_owner(root); #owner of directories
dir_group(adm); #group of directories
dir_perm(0755); #permissions for directories
bad_hostname("^gconfd$");
};
Messafe sources definitions:
source s_all {
internal(); #internal syslog messages
unix-stream("/dev/log" max-connections(256)); #standard system messages
file("/proc/kmsg"); #kernel messafes
};
Logged targets and log giles path:
Using$YEAR and $MONTH variables, is ensured that log files will be separated by months and years.
destination d_syslog { file("/var/mojelogy/$YEAR/$MONTH/syslog.log"); }; #log for syslog-ng
destination d_messages { file("/var/mojelogy/$YEAR/$MONTH/messages.log"); }; #log for "any others"
destination d_iptables { file("/var/mojelogy/$YEAR/$MONTH/iptables.log"); }; #log for iptables
destination d_sshd { file("/var/mojelogy/$YEAR/$MONTH/sshd.log"); }; #log for SSH daemon (openssh)
destination d_dhcpd { file("/var/mojelogy/$YEAR/$MONTH/dhcpd.log"); }; #log for DHCP daemon (dhcp3)
destination d_fcron { file("/var/mojelogy/$YEAR/$MONTH/fcron.log"); }; #log for cron (fcron)
destination d_mail { file("/var/mojelogy/$YEAR/$MONTH/mail.log"); }; #log for mails
destination d_proftpd { file("/var/mojelogy/$YEAR/$MONTH/proftpd.log"); }; #log for FTP daemon (proftpd)
destination d_named { file("/var/mojelogy/$YEAR/$MONTH/named.log"); }; #log for DNS daemon (bind)
destination d_su { file("/var/mojelogy/$YEAR/$MONTH/su.log"); }; #log for user switching
Filtry oddělující jednotlivé logy.
For logging iptables is important, that appropriate prefix is adjusted. There it is “iptables: ” for example. We can separate logs by program/daemon name (program()) or regular expressions (match()). Iptables are writed with kernel prefix as many other messages, so we must differ them by our adjusted prefix and separate them with regular expression.
filter f_syslog { program(syslog-ng); };
filter f_iptables { match("^iptables: "); };
filter f_sshd { program(ssh); };
filter f_fcron{ program(fcron); };
filter f_dhcpd { program(dhcpd); };
filter f_mail { facility(mail); };
filter f_proftpd { program(proftpd); };
filter f_named { program(named); };
filter f_su { program(su); };
filter f_messages { #containg all others excepts defined filters for syslog, iptables, dns, ...
level(info .. warn)
and not filter(f_syslog)
and not filter(f_iptables)
and not filter(f_sshd)
and not filter(f_dhcpd)
and not filter(f_fcron)
and not filter(f_mail)
and not filter(f_proftpd)
and not filter(f_named)
and not filter(f_su)
;}
log { source(src); filter(f_iptables); destination(d_iptables); flags(final); };
log { source(src); filter(f_sshd); destination(d_sshd); flags(final); };
log { source(src); filter(f_dhcpd); destination(d_dhcpd); flags(final); };
log { source(src); filter(f_fcron); destination(d_fcron); flags(final); };
log { source(src); filter(f_mail); destination(d_mail); flags(final); };
log { source(src); filter(f_syslog); destination(d_syslog); flags(final); };
log { source(src); filter(f_proftpd); destination(d_proftpd); flags(final); };
log { source(src); filter(f_named); destination(d_named); flags(final); };
log { source(src); filter(f_su); destination(d_su); flags(final); };
log { source(src); filter(f_messages); destination(d_messages); };
Syslog-ng version 3 documentation can be found here.
Configuration file for version 3.0.
via:Syslog-ng 3: Iptables logging, separating and sorting logs
最新评论