If you use syslog-ng protocol to log your Linux kernel's messages into a /var/log/messages file and if you want to log some messages (filtered by some criteria) into a separate log file (eg. your firewall log entries), then here is what you have to do:
- edit syslog-ng configuration file (/etc/syslog-ng/syslog-ng.conf)
- create a new destination entry special designed for your firewall:
- create a new filter so that you grab only those entries related to firewall
- log those entries specified by your custom filter to your custom destination file
- restart/reload your syslog-ng service
In the example below I will show you how to use iptables with syslog-ng on Gentoo.
I've edited the default syslog-ng.conf file where I've added lines 18,28,34 and I've changed the default line 25:
[code language="bash"]# Syslog-ng default configuration file for Gentoo Linux
options {
chain_hostnames(no);
stats_freq(43200);
mark_freq(3600);
};
source src {
unix-stream("quot;/dev/log"quot; max-connections(256));
internal();
file("quot;/proc/kmsg"quot;);
};
destination messages { file("quot;/var/log/messages"quot;); };
# your custom firewall destination
destination firewall { file("quot;/var/log/firewall.log"quot;); };
# By default messages are logged to tty12...
destination console_all { file("quot;/dev/tty12"quot;); };
# make sure you don't include in /var/log/messages those entries that will go
# into firewall custom log file
filter f_kernel { not match("quot;IN="quot; value(MSG)) or not match("quot;OUT="quot; value(MSG)); };
# your custom firewall filter
filter f_firewall { match("quot;IN="quot; value(MSG)) and match("quot;OUT="quot; value(MSG)); };
log { source(src); filter(f_kernel); destination(messages); };
log { source(src); filter(f_kernel); destination(console_all); };
# your custom firewall log entry
log { source(src); filter(f_firewall); destination(firewall); };
Now, if you think that this article was interesting don't forget to rate it. It shows me that you care and thus I will continue write about these things.
Eugen Mihailescu
Latest posts by Eugen Mihailescu (see all)
- Dual monitor setup in Xfce - January 9, 2019
- Gentoo AMD Ryzen stabilizator - April 29, 2018
- Symfony Compile Error Failed opening required Proxies - January 22, 2018