On Tuesday 25 February 2003 04:01 pm, Michael K wrote: > When I uses the --jump LOG in iptables it logs to /dev/console. Read > the man page for syslog.conf(5) and added "kern.warn /var/log/krnmsg". > Restarted syslog; and still it logs to /dev/console. You need to use "kern.=warn" to designate a target for kernel warning messages. You also, IIRC, need to make sure you don't have a kern.* entry before it, or a *.warn. > Can I prevent this from happening? Possibly. Check if you have a "kern.*" or any other entry going to "/dev/console", and if you do you can comment it out. > Is there another (better) way to log? You can use the ULOG target, but you'll need to install a few userspace programs to deal with that. If all you want is to look through logs occasionally for anything unexpected, or use the log to debug firewall rules as you work, follow the suggestion below. > Can't I use something like "iptables.* /var/log/iptables" so that I > only get messages from iptables? (Did try it, byt didn't work) You can get close to this on most systems. With most stable-kernel installations you have very few entries in the kernel debug stream, so you can add the parameter "--log-level 7" to you LOG rules, and divert "kern.=debug" in your syslog.conf file to an (almost) iptables-only log. If you also use the "--log-prefix" parameter you can prepend a specified string to each log entry from that rule, to help in reading the log. A useful example of all this is: iptables -A FORWARD -j LOG --log-level 7 --log-prefix "Unexpected Forward:" As the last rule in the FORWARD chain. If you have "kern.=debug /var/log/iptables" in syslog.conf then "cat /var/log/iptables | grep Unexp" would list out all the matching log entries. > BTW: the system is Redhat 7.3 j
