RE: is it posible to change the log output of iptables?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Title: Message

If you can stand losing some accuracy maybe use a limit match for logging? Something on the order of log 3 per minute or a reasonable number that will cut down on the number of log entries generated. Or if the size is not the issue but the amount of data being generated a parsing script would be good, isolate each of the IP addresses out and then go check them. I’m not sure you can change the format IPTables is logging in except for the log prefix, but I’m no expert on it either.

 

-----Original Message-----
From: Thomas Hanson [mailto:klon@xxxxxxxx]
Sent: Friday, October 24, 2003 8:23
To: 'Netfilter (E-mail)'
Subject: RE: is it posible to change the log output of iptables?

 

We only log one protocol, ICMP type 8. We do this to catch viruses scanning for vurnurabilties. But this one protocol gives 2+ Gb a day log. which is a little less than the amount of packets droped a day (about 2.5 Gbytes a day) for that one protocol. our iptables lookes like this :

 

-A FORWARD -p icmp -m icmp -m state -s 192.38.222.0/255.255.255.0 --icmp-type 8 --state NEW -j LOG
-A FORWARD -p icmp -m icmp -m state -s 192.38.223.0/255.255.255.0 --icmp-type 8 --state NEW -j LOG
-A FORWARD -p icmp -m icmp -m state -s 192.38.222.0/255.255.255.0 --icmp-type 8 --state NEW -j DROP
-A FORWARD -p icmp -m icmp -m state -s 192.38.223.0/255.255.255.0 --icmp-type 8 --state NEW -j DROP 

 

but which 600 students and about 40 computers filled with viruses this adds up.

 

Thomas

 

 

 -----Original Message-----
From: Hildebrand, Brian [mailto:BrianHildebrand@xxxxxxxxxxxxxxxxxxxxxxxx]
Sent: 24. oktober 2003 15:14
To: Thomas Hanson
Cc: Netfilter (E-mail)
Subject: RE: is it posible to change the log output of iptables?

It would be better to reduce the amount of traffic you are logging. If you are logging everything that gets dropped your log files are still going to huge. I usually drop all the Microsoft RPC ports without logging, as well as other scan ports (like skiddies scanning on 8080 for HTTP proxies).

 

-----Original Message-----
From: Thomas Hanson [mailto:klon@xxxxxxxx]
Sent: Friday, October 24, 2003 7:59
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: is it posible to change the log output of iptables?

 

Hi,

 

I am logging what our firewall is dropping (with the -j LOG  option), and the log file is enormous (2+ Gb a day). I was wondering if it is posible to define what goes into the log.

currently it gives this :

Oct 24 14:46:52 MEGALOMANIA kernel: IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC="" DST=192.38.103.193 LEN=92 TOS=0x00 PREC=0x00 TTL=128 ID=27977 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=60760

 

But all I am interested in is the time, src, dst and len variables, everything else is not needed for our logging. Can you adjust this? if so, how?

 

 

Thanks,

Thomas Hanson

----------------------------------------
The information transmitted in this message is intended only for the person or entity to whom it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this document.
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux