Currently all ip traffic is going to syslog, is there any way to move it to it's own log file? Ie put less entries in the main log.
Currently all ip traffic is going to syslog, is there any way to move it to it's own log file? Ie put less entries in the main log.
Assuming that you are using iptables netfilter framework for logging, you can make following changes to syslog.conf file to log desired IP traffic to a separate file (say firewall.log)
Open your /etc/syslog.conf file:
Append following lineCode:# vi /etc/syslog.conf
Save and close the file.Code:kern.warning /var/log/firewall.log
Restart the syslogd
Make sure you pass the log-level 4 option with log-prefix to iptables.Code:# /etc/init.d/syslogd restart
For example, drop and log all connections from IP address A.B.C.D to yourCode:iptables -A INPUT -j LOG --log-level 4 iptables -A INPUT -j DROP
/var/log/firewall.log file:
Where,Code:iptables -A INPUT -s A.B.C.D -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix '** FIREWALL **' --log-level 4 iptables -A INPUT -s A.B.C.D -j DROP
--log-level 4: is level of logging (4 is for warning)
--log-prefix '*** FIREWALL ***': Prefix log messages with the specified prefix (FIREWALL); useful for distinguishing messages in the logs.
As all logs with the kern facility get logged to firewall.log, you can search with the log prefix for all ip traffic messages.
Regards,
Kiran
Thanks alot big help.
Bookmarks