Strona 1 z 6
Przeniesienie logow iptables do osobnego pliku.
: 17 września 2017, 22:09
autor: Matrixx
Witam wszystkich.
Mam na Ubuntu 16.10 zainstalowane i dzialajace uslugi:
-
iptables
- usluga nazywa sie: firewall service
- plik conf nazywa sie: iptables.sh
-
rsyslog
- usluga to: rsyslog.service
- plik configu to: rsyslogd
Wszystko gra i buczy tylko mieszanie logow iptables z innymi logami w lokalizacjach:
- /var/log/syslog
-/var/log/korn.log
utrudnia analize.
Pytanie.
Jak przeniesc wylacznie logi iptables do innego pliku?
Pozdro.
Ps. Tymczasem plik iptables.log w lokalizacji /var/log/iptables.log jest pusty
Re: Przeniesienie logow iptables do osobnego pliku.
: 18 września 2017, 20:35
autor: pawkrol
Zainstaluj Ulog
lub
/etc/rsyslog.d/ipt.conf
Kod: Zaznacz cały
:msg, contains, "iptables: " /var/log/iptables.log
& ~
a w iptables np:
Kod: Zaznacz cały
iptables -A FORWARD -s 192.168.56.0/24 -d 192.168.156.30 -m tcp -p tcp --dport 80 -j LOG --log-prefix "iptables: Forward ACCEPT: "
Ja polecam Uloga, bo on nie bruździ logami w dmesg.
Re: Przeniesienie logow iptables do osobnego pliku.
: 18 września 2017, 21:08
autor: Matrixx
Zeby nie zmieniac regol iptables, dalem:
Kod: Zaznacz cały
:msg, contains, "ipT4: " /var/log/iptables.log
& ~
nastepnie:
usluga rsyslog status po zmianach:
Kod: Zaznacz cały
● rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2017-09-18 20:05:47 IST; 1min 14s ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 26403 (rsyslogd)
Tasks: 4 (limit: 4915)
Memory: 6.9M
CPU: 12ms
CGroup: /system.slice/rsyslog.service
└─26403 /usr/sbin/rsyslogd -n
Sep 18 20:05:47 mike-desktop rsyslogd[26403]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.28.0.2576a4cdf49b try http://www.rsyslog.com/e/2307 ]
Sep 18 20:05:47 mike-desktop rsyslogd[26403]: rsyslogd's groupid changed to 108
Sep 18 20:05:47 mike-desktop rsyslogd[26403]: rsyslogd's userid changed to 104
Sep 18 20:05:47 mike-desktop rsyslogd[26403]: [origin software="rsyslogd" swVersion="8.28.0.2576a4cdf49b" x-pid="26403" x-info="http://www.rsyslog.com"] start
Sep 18 20:05:47 mike-desktop rsyslogd[26403]: Could not open output pipe '/dev/xconsole':: No such file or directory [v8.28.0.2576a4cdf49b try http://www.rsyslog.com/e/2039 ]
Sep 18 20:05:47 mike-desktop rsyslogd[26403]: action 'action 8' suspended, next retry is Mon Sep 18 20:06:17 2017 [v8.28.0.2576a4cdf49b try http://www.rsyslog.com/e/2007 ]
Sep 18 20:06:02 mike-desktop rsyslogd[26403]: file '/var/log/firewall': open error: Permission denied [v8.28.0.2576a4cdf49b try http://www.rsyslog.com/e/2433 ]
Sep 18 20:06:02 mike-desktop rsyslogd[26403]: action 'action 12' resumed (module 'builtin:omfile') [v8.28.0.2576a4cdf49b try http://www.rsyslog.com/e/2359 ]
Sep 18 20:06:02 mike-desktop rsyslogd[26403]: message repeated 8 times: [action 'action 12' resumed (module 'builtin:omfile') [v8.28.0.2576a4cdf49b try http://www.rsyslog.com/e/2359 ]]
Sep 18 20:06:02 mike-desktop rsyslogd[26403]: action 'action 12' suspended, next retry is Mon Sep 18 20:06:32 2017 [v8.28.0.2576a4cdf49b try http://www.rsyslog.com/e/2007 ]
Zaraz sprawdze czy zapisuje do pliku.
Zzuca logi do pliku: /var/log/syslog.
Plik: /var/log/iptables.log jest nadal pusty.
Re: Przeniesienie logow iptables do osobnego pliku.
: 18 września 2017, 22:10
autor: pawkrol
To zobacz czy w ogóle rsyslog includuje ten plik
/etc/rsyslog.conf
Plik musi być ładowany przed regułami
auth,authpriv.*/var/log/auth.log
.
.
.
Re: Przeniesienie logow iptables do osobnego pliku.
: 19 września 2017, 11:40
autor: Matrixx
Potwierdzam, /etc/rsyslog.conf includuje te konfiguracje:
Kod: Zaznacz cały
# /etc/rsyslog.conf Configuration file for rsyslog.
#
# For more information see
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Filter duplicated messages
$RepeatedMsgReduction on
#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
if $msg contains 'input1,iptables denied,output1,ipT:' then -/var/log/firewall
#if $msg contains 'input1' then -/var/log/firewall
#if $msg contains 'iptables denied' then -/var/log/firewall
#if $msg contains 'output1' then -/var/log/firewall
if $msg contains 'ipT4' then -/var/log/iptables.log
Przepraszam ale nie rozumiem:
Plik musi być ładowany przed regułami
auth,authpriv.*/var/log/auth.log
Co mam sprawdzic, zrobic?
Ps. Zastanawiam sie czy jezeli string "ipT4" w /etc/rsyslog.conf jest tylko czescia suffiksa uzytego w skrypcie konfiguracji regol iptables to wystarczy do
dzialania? Czy tez musi byc uzyty caly suffix?
Kod: Zaznacz cały
e:
#!/bin/sh
conntrack -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "ipT4 DROP INPUT: "
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -m limit --limit 2/min -j LOG --log-prefix "ipT4 DROP INVALID IN: "
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix "ipT4 DROP INVALID FWD: "
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
iptables -I OUTPUT -m state -p tcp --state NEW -i eth0 -m limit --limit 1/m --limit-burst 1 -j LOG --log-uid --log-prefix "ipT4 Outbound Connection: "
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 2/min -j LOG --log-prefix "ipT4 DROP INVALID OUT: "
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -F
ip6tables -X
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Re: Przeniesienie logow iptables do osobnego pliku.
: 19 września 2017, 12:24
autor: pawkrol
Nie musi być caly suffix. W regule masz contain czyli ma zawierać wyraz ipt4.
Jakie pliki masz w katalogu rsyslog.d?
Re: Przeniesienie logow iptables do osobnego pliku.
: 19 września 2017, 12:46
autor: Matrixx
Odrobilem lekcje.
https://unix.stackexchange.com/question ... slog-confi
Linia:
nie istnieje w pliku:
/etc/rsyslog.conf
Kod: Zaznacz cały
nano 2.6.3 File: /etc/rsyslog.conf
# /etc/rsyslog.conf Configuration file for rsyslog.
#
# For more information see
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Filter duplicated messages
$RepeatedMsgReduction on
#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
if $msg contains 'input1,iptables denied,output1,ipT4' then -/var/log/firewall
#if $msg contains 'input1' then -/var/log/firewall
#if $msg contains 'iptables denied' then -/var/log/firewall
#if $msg contains 'output1' then -/var/log/firewall
if $msg contains 'ipT4' then -/var/log/iptables.log
/etc/rsyslog.d/50-default.conf
Kod: Zaznacz cały
# Default rules for rsyslog.
#
# For more information see rsyslog.conf(5) and /etc/rsyslog.conf
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
#daemon.* -/var/log/daemon.log
#lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
#user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info -/var/log/mail.info
#mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
#
# Logging for INN news system.
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
#
# Some "catch-all" log files.
#
#*.=debug;\
# auth,authpriv.none;\
# news.none;mail.none -/var/log/debug
#*.=info;*.=notice;*.=warn;\
# auth,authpriv.none;\
# cron,daemon.none;\
# mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
daemon.*;mail.*;\
news.err;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
/etc/rsyslog.d/ipt.conf
Kod: Zaznacz cały
:msg, contains, "ipT4: " /var/log/iptables.log
& ~
Wynik, caly czas loguje do /var/log/syslog
Re: Przeniesienie logow iptables do osobnego pliku.
: 19 września 2017, 15:24
autor: pawkrol
To przenieś te dwie linie co masz w pliku ipt.conf do pliku 50-default przed linie auth,priv...
I zakomemtuj w rsyslog.conf
if $msg contains...
Re: Przeniesienie logow iptables do osobnego pliku.
: 19 września 2017, 16:35
autor: Matrixx
Wykonane:
Kod: Zaznacz cały
# Default rules for rsyslog.
#
# For more information see rsyslog.conf(5) and /etc/rsyslog.conf
#
# First some standard log files. Log by facility.
#
:msg, contains, "ipT4: " /var/log/iptables.log
& ~
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
#daemon.* -/var/log/daemon.log
#lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
#user.* -/var/log/user.log
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info -/var/log/mail.info
#mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
#
# Logging for INN news system.
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
#
# Some "catch-all" log files.
#
#*.=debug;\
# auth,authpriv.none;\
# news.none;mail.none -/var/log/debug
#*.=info;*.=notice;*.=warn;\
# auth,authpriv.none;\
# cron,daemon.none;\
# mail,news.none -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg :omusrmsg:*
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
daemon.*;mail.*;\
news.err;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
Kod: Zaznacz cały
# /etc/rsyslog.conf Configuration file for rsyslog.
#
# For more information see
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Filter duplicated messages
$RepeatedMsgReduction on
#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
if $msg contains 'input1,iptables denied,output1,ipT4' then -/var/log/firewall
#if $msg contains 'input1' then -/var/log/firewall
#if $msg contains 'iptables denied' then -/var/log/firewall
#if $msg contains 'output1' then -/var/log/firewall
#if $msg contains 'ipT4' then -/var/log/iptables.log
Wywalilem
Zrestartowalem
Wynik, caly czas loguje do /var/log/syslog
Re: Przeniesienie logow iptables do osobnego pliku.
: 19 września 2017, 17:18
autor: Morfik
Zamiast:
Kod: Zaznacz cały
:msg, contains, "ipT4: " /var/log/iptables.log
& ~
Daj:
Kod: Zaznacz cały
if $msg contains 'ipT4: ' then -/var/log/iptables.log
& stop