Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Firewall logs are in /var/log/{firewall,warn,messages} - clutter

  1. #1
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    10,141
    Blog Entries
    3

    Default Firewall logs are in /var/log/{firewall,warn,messages} - clutter

    I suspect this is an initial configuration bug. All firewall logs seem to be going to all
    three files. That causes a lot of clutter in the log files, and makes it difficult to see whether there are any serious problems being logged.
    opensuse Leap 15.0; KDE Plasma 5;
    opensuse tumbleweed; KDE Plasma 5 (test system);

  2. #2
    Join Date
    Sep 2010
    Location
    Poland
    Posts
    1,854

    Default Re: Firewall logs are in /var/log/{firewall,warn,messages} - clutter

    Quote Originally Posted by nrickert View Post
    I suspect this is an initial configuration bug. All firewall logs seem to be going to all
    three files. That causes a lot of clutter in the log files, and makes it difficult to see whether there are any serious problems being logged.
    Did You configure the firewall using YaST ? If so what did You configure it to log ?

    If not sure You could post output of this command here :
    Code:
    sudo iptables -avL
    Best regards,
    Greg
    Best regards,
    Greg

  3. #3
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    10,141
    Blog Entries
    3

    Default Re: Firewall logs are in /var/log/{firewall,warn,messages} - clutter

    I configured the firewall to allow inbound smtp, ssh and syslog. I don't believe that I configured anything related to firewall logging - I'm pretty sure that I left that at the default setting. I am seeing the same duplicate (triplicate) logging on a laptop, where the only firewall change was to allow inbound ssh.

    Code:
    # iptables -avL
    iptables v1.4.10: option `iptables' requires an argument
    Try `iptables -h' or 'iptables --help' for more information.
    (Somehow, I don't think that was the output you were looking for).
    opensuse Leap 15.0; KDE Plasma 5;
    opensuse tumbleweed; KDE Plasma 5 (test system);

  4. #4
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    10,141
    Blog Entries
    3

    Default Re: Firewall logs are in /var/log/{firewall,warn,messages} - clutter

    I am currently looking at "/etc/rsyslog.conf" in at attempt to understand what is happening.

    Toward the top of that file, I find:
    Code:
    #
    # firewall messages into separate file and stop their further processing
    #
    if      ($syslogfacility-text == 'kern') and \
            ($msg contains 'IN=' and $msg contains 'OUT=') \
    then    -/var/log/firewall
    &       ~
    If I understand it correctly, that last line shown (the "& ~") is supposed to discard (throw away) all firewall log messages after they have been logged to "/var/log/firewall". It looks to me as if that isn't working, as if they are not being discarded. I am suspecting that this is a bug.

    I would appreciate some checking, particularly by folk who are very familiar with rsyslog.conf .

    Thanks.
    opensuse Leap 15.0; KDE Plasma 5;
    opensuse tumbleweed; KDE Plasma 5 (test system);

  5. #5
    Join Date
    Sep 2010
    Location
    Poland
    Posts
    1,854

    Default Re: Firewall logs are in /var/log/{firewall,warn,messages} - clutter

    Quote Originally Posted by nrickert View Post
    I configured the firewall to allow inbound smtp, ssh and syslog. I don't believe that I configured anything related to firewall logging - I'm pretty sure that I left that at the default setting. I am seeing the same duplicate (triplicate) logging on a laptop, where the only firewall change was to allow inbound ssh.

    Code:
    # iptables -avL
    iptables v1.4.10: option `iptables' requires an argument
    Try `iptables -h' or 'iptables --help' for more information.
    (Somehow, I don't think that was the output you were looking for).
    Yes you're right sorry about that this one should work :
    Code:
    sudo SuSEfirewall2 status
    But I guess it will be easiest to look in YaST. Particularly the window :
    SUSE Paste

    This one is in polish sorry about that Basically there are two combo boxes. One that configures the level of logging for accepted packets and the other one level of logging for dropped packets. On my screen shot the first combo box is configured to don't log accepted packets at all and the second one says log only critical. My guess is You might have log everything for both accepted and dropped packets.

    Best regards,
    Greg
    Best regards,
    Greg

  6. #6
    Join Date
    Sep 2010
    Location
    Poland
    Posts
    1,854

    Default Re: Firewall logs are in /var/log/{firewall,warn,messages} - clutter

    Quote Originally Posted by nrickert View Post
    I am currently looking at "/etc/rsyslog.conf" in at attempt to understand what is happening.

    Toward the top of that file, I find:
    Code:
    #
    # firewall messages into separate file and stop their further processing
    #
    if      ($syslogfacility-text == 'kern') and \
            ($msg contains 'IN=' and $msg contains 'OUT=') \
    then    -/var/log/firewall
    &       ~
    If I understand it correctly, that last line shown (the "& ~") is supposed to discard (throw away) all firewall log messages after they have been logged to "/var/log/firewall". It looks to me as if that isn't working, as if they are not being discarded. I am suspecting that this is a bug.

    I would appreciate some checking, particularly by folk who are very familiar with rsyslog.conf .

    Thanks.
    It looks the same for me here so I guess that's not the problem.

    Best regards,
    Greg
    Best regards,
    Greg

  7. #7
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    10,141
    Blog Entries
    3

    Default Re: Firewall logs are in /var/log/{firewall,warn,messages} - clutter

    Quote Originally Posted by glistwan View Post
    But I guess it will be easiest to look in YaST. Particularly the window :
    SUSE Paste
    Both option boxes show "Log only critical".
    opensuse Leap 15.0; KDE Plasma 5;
    opensuse tumbleweed; KDE Plasma 5 (test system);

  8. #8
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    10,141
    Blog Entries
    3

    Default Re: Firewall logs are in /var/log/{firewall,warn,messages} - clutter

    Quote Originally Posted by glistwan View Post
    It looks the same for me here so I guess that's not the problem.
    I wasn't suggesting that the configuration is the problem. Rather, I was suggesting that the rsyslogd daemon was not honoring that configuration.

    Are you also seeing firewall logs replicated in logfiles "warn" and "messages"?

    I seem to recall that with 11.3, the messages log file was being rotated every few months. Now it is being rotated every few days. I am in the habit of using "tail /var/log/messages" to get a picture of what has been happening recently. But now that only shows me firewall logs.
    opensuse Leap 15.0; KDE Plasma 5;
    opensuse tumbleweed; KDE Plasma 5 (test system);

  9. #9
    Join Date
    Sep 2010
    Location
    Poland
    Posts
    1,854

    Default Re: Firewall logs are in /var/log/{firewall,warn,messages} - clutter

    Quote Originally Posted by nrickert View Post
    Both option boxes show "Log only critical".
    This should be fine as far as I can tell. I wonder what would happen if You set both to not log anything at all ?

    The last resort is the CLI command that shows the full status of active firewall config. Look for anything containing LOG there.

    This is how it looks for me and logging works as I expect it to work :
    Code:
    grzes@opensuse:~> sudo SuSEfirewall2 status | grep LOG
        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET ' 
        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING ' 
        0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 
        0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 
        3  1131 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 ctstate NEW LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 
        0     0 LOG        all      *      *       ::/0                 ::/0                limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET ' 
        0     0 LOG        all      *      *       ::/0                 ::/0                limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING ' 
        0     0 LOG        tcp      *      *       ::/0                 ::/0                limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 
        0     0 LOG        icmpv6    *      *       ::/0                 ::/0                limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 
        0     0 LOG        udp      *      *       ::/0                 ::/0                limit: avg 3/min burst 5 ctstate NEW LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
    Best regards,
    Greg
    Best regards,
    Greg

  10. #10
    Join Date
    Sep 2010
    Location
    Poland
    Posts
    1,854

    Default Re: Firewall logs are in /var/log/{firewall,warn,messages} - clutter

    Quote Originally Posted by nrickert View Post
    I wasn't suggesting that the configuration is the problem. Rather, I was suggesting that the rsyslogd daemon was not honoring that configuration.

    Are you also seeing firewall logs replicated in logfiles "warn" and "messages"?

    I seem to recall that with 11.3, the messages log file was being rotated every few months. Now it is being rotated every few days. I am in the habit of using "tail /var/log/messages" to get a picture of what has been happening recently. But now that only shows me firewall logs.
    Yes I see some firewall logs in messages and warn but there are very few of them in those files.

    Best regards,
    Greg
    Best regards,
    Greg

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •