On 7/20/2011 12:52 PM, Keith Roberts wrote: > On Wed, 20 Jul 2011, cbulist@xxxxxxxxx wrote: > >> To: centos@xxxxxxxxxx >> From: "cbulist@xxxxxxxxx"<cbulist@xxxxxxxxx> >> Subject: Re: Iptables - flooding console >> >> >> >> On 7/20/2011 10:18 AM, Keith Roberts wrote: >>> On Wed, 20 Jul 2011, cbulist@xxxxxxxxx wrote: >>> >>>> To: centos@xxxxxxxxxx >>>> From: "cbulist@xxxxxxxxx"<cbulist@xxxxxxxxx> >>>> Subject: Iptables - flooding console >>>> >>>> Hi, >>>> >>>> We are trying to track some specific rules using LOG as target. >>>> Everything is working well but the problem is that iptables is flooding >>>> the console with LOG messages. >>>> We tried --log level 4 on iptables rules but it didn't work. >>>> We fixed the problem changing KLOGD_OPTIONS value in >>>> /etc/sysconfig/syslog to: >>>> KLOG_OPTIONS="-c 4" >>>> >>>> Is it the best option or we are missing something? >>>> >>>> Thanks in advance >>> I had this problem as well. The firewall logs were being >>> sent (tailed/tee'd ?) to the console, which is a pain if you >>> are using mc or any other console application. >>> >>> To fix it on Centos 5.5/6 I just added the following >>> to the top of the /etc/syslog.conf file. >>> >>> Deleted these lines as not in use: >>> >>> # Log all kernel messages to the console. >>> # Logging much else clutters up the screen. >>> #kern.* /dev/console >>> >>> >>> Replaced with: >>> # Log all firewall messages to a file. >>> kern.=debug /var/log/firewall-log >>> >>> Obviously you need to make sure the firewall log file >>> exists >>> >>> -rw-r--r-- keith users 39039 Jul 20 15:24 firewall-log >>> >>> Kind Regards, >>> >> Thanks Keith, >> >> I tried your solution but it didn't work. (man 8 syslogd describes what >> you said) >> First I returned the default value on KLOG_OPTIONS, I restarted the >> syslog service but the iptables still continuous sending the log to console. >> I forget mention the info system: >> >> CentOS 5.6 >> >> [root@server_56 ~]# uname -r >> 2.6.18-238.el5 >> [root@server_56 ~]# iptables -V >> iptables v1.3.5 > OK Julio. > > There was a kernel update last night, so here's what my 5.6 > box has got on it: > > [root@karsites ~]# uname -r > 2.6.18-238.19.1.el5 > > [root@karsites ~]# iptables -V > iptables v1.3.5 > > my /etc/sysconfig/syslog file is untouched by me: > > ################### > > # Options to syslogd > # -m 0 disables 'MARK' messages. > # -r enables logging from remote machines > # -x disables DNS lookups on messages recieved with -r > # See syslogd(8) for more details > SYSLOGD_OPTIONS="-m 0" > # Options to klogd > # -2 prints all kernel oops messages twice; once for klogd > to decode, and > # once for processing with 'ksymoops' > # -x disables all klogd processing of oops messages entirely > # See klogd(8) for more details > KLOGD_OPTIONS="-x" > # > SYSLOG_UMASK=077 > # set this to a umask value to use for all log files as in > umask(1). > # By default, all permissions are removed for "group" and > "other". > > ################# > > The only file I alter is /etc/syslog.conf which contains: > > ################# > > # Log all firewall messages to a file. > kern.=debug /var/log/firewall-log > > # Log anything (except mail) of level info or higher. > # Don't log private authentication messages! > *.info;mail.none;authpriv.none;cron.none /var/log/messages > > # The authpriv file has restricted access. > authpriv.* /var/log/secure > > # Log all the mail messages in one place. > mail.* -/var/log/maillog > > # Log cron stuff > cron.* /var/log/cron > > # Everybody gets emergency messages > *.emerg * > > # Save news errors of level crit and higher in a special file. > uucp,news.crit /var/log/spooler > > # Save boot messages also to boot.log > local7.* /var/log/boot.log > > ################# > > and my IPtables rules for logging packets are: > > #------------------------------------------------------# > # create a new chain for apache connections > #------------------------------------------------------# > > iptables -N open_port_80 > > # LOG all local connections to apache port 80 > iptables -A open_port_80 ! -i eth0 -p tcp --dport 80 \ > -j LOG --log-level 7 --log-prefix 'Local Port 80 connects ' > > # ACCEPT all local connections to apache port 80 > iptables -A open_port_80 ! -i eth0 -p tcp --dport 80 -j > ACCEPT > > #------------------------------------------------------# > > Here's what I get in my firewall-log file. Just did a > connect from localhost to check it's all working OK. > > Jul 20 18:47:07 karsites kernel: Local Port 80 connects > IN=lo OUT= MAC=00:00 > :00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 > DST=127.0.0.1 LEN=52 TOS= > 0x00 PREC=0x00 TTL=64 ID=40422 DF PROTO=TCP SPT=59791 DPT=80 > WINDOW=386 RES= > 0x00 ACK FIN URGP=0 > > Maybe you need to take another look at your IPtables logging > rule? > > Kind Regards, > > Keith > > ----------------------------------------------------------------- Keith and Daniel, Thanks so much for your help!. Keith you are right. I had --log-level 4 in the iptables rules because I played with that option in order to fix the problem. Now, it's working well. I didn't update the kernel. Sincerely, Julio _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos