You are not logged in.
Hello,
The tittle says it all. Running syslog-ng and iptables, the /var/log/iptables.log file isn't created. This question is exactly the same that appears here: http://bbs.archlinux.org/viewtopic.php?id=28900 and a solution is given.
But, what i'm asking myself is if exists an easier solution. Why doesn't work the standard setup? it seems ready to log iptables to /var/log/iptables.log
Thanks!
Offline
Do you have loging on in the iptables rules?
I have these in syslog-ng.conf and no prefixes in the iptables. This type of syslog-ng.conf layout concerning f_iptables should be default in syslog-ng packages nowadays.
$ grep iptables /etc/syslog-ng.conf
destination iptables { file("/var/log/iptables.log"); };
filter f_kernel { facility(kern) and not filter(f_iptables); };
filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news, cron) and not program(syslog-ng) and not filter(f_iptables); };
filter f_everything { level(debug..emerg) and not facility(auth, authpriv) and not filter(f_iptables); };
filter f_info { level(info) and not filter(f_iptables); };
filter f_iptables { match("IN=.*OUT="); };
log { source(src); filter(f_iptables); destination(iptables); };You can touch /var/log/iptables.log if it helps?
Last edited by Purch (2008-05-13 20:51:59)
Offline
Sorry for the late answer. I'm very busy.
Yes, i have those lines:
$ grep iptables /etc/syslog-ng.conf
destination iptables { file("/var/log/iptables.log"); };
filter f_kernel { facility(kern) and not filter(f_iptables); };
filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news, cron) and not program(syslog-ng) and not filter(f_iptables); };
filter f_iptables { match("IN=.*OUT="); };
log { source(src); filter(f_iptables); destination(iptables); };
I "touched" the /var/log/iptables.log file, and nothing. It remains at 0 kb
I'm behind a router, and firewalled. But:
- anything in the log? i've made a port scan via web. I think that this should log something
- at least, the file should be created, no?
With the conditions in /etc/syslog-ng.conf what should i make to force an iptables log?
If heps to resolve this. iptables.rules is crreated by:
#!/bin/bash
rm /etc/iptables/iptables.rules
iptables -X
iptables -Z
iptables -t nat -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables-save > /etc/iptables/iptables.rulesThen, i run "/etc/rc.d/iptables restart".
Of course, syslog-ng and iptables are in rc.conf
Any idea/help?
thanks!
EDITED: I've noticed a few diferences in the syslog-ng file, i'm testing with the new settings. But, after a port scan, and a ping from another PC from the LAN, nothing
Last edited by dienadel (2008-05-17 19:50:38)
Offline
[quote=dienadel
]If heps to resolve this. iptables.rules is crreated by:
<..>
There are no "-j LOG" 's in there.. Those rules basically say you're allowed to connect to servers and nobody `from the outside` can connect to various services you might be running on your system (some other things too, but not important for my comment). I don't know how you thought iptables works or whatever, but if you want portscans to get detected and logged, or if you want various attacks to be detected and logged, you'll have to instruct iptables to do that.
Last edited by sniffles (2008-05-18 11:10:24)
Offline
There are no "-j LOG" 's in there.. .
Yes, last night, before going to sleep, i thought: "perhaps, i must say iptables to log" (i tought it was made by syslog-ng). Today, after reading your your post, modified iptables.rules, and, yes, iptables.log is populating now. :-)
Thanks
Offline