Results 1 to 8 of 8

Thread: SUSEFIREWALL - How to forbid specific message in systemd-journald

  1. #1
    Join Date
    Jun 2008
    Location
    South-West France
    Posts
    1,069

    Default SUSEFIREWALL - How to forbid specific message in systemd-journald

    Hello.

    I am using a NETGEAR router as dhcp and dns server using a dd-wrt firmware.
    The router address on lan side is 192.168.1.230

    The router is configured to send logs messages to a workstation 192.168.1.10 using UDP on port 514.

    I want to remove/hide/delete all messages in systemd-journald concerning "from 192.168.1.230 to 192.168.1.10:514" if they are not critical.
    Code:
    Jul 20 13:36:00 ASUS-NEW kernel: SFW2-INext-ACC IN=eth0 OUT= MAC=30:85:a9:28:16:f9:c0:ff:d4:80:a7:d5:08:00 SRC=192.168.1.230 DST=192.168.1.10 LEN=87 TOS=0x00 PREC=0x00 TTL=64 ID=39267 DF PROTO=UDP SPT=46674 DPT=514 LEN=67
    The network interfaces of the workstation ( wifi and ethernet ) are put in external zone.

    Any help is welcome.
    Thanks for helping. JCD
    __________
    server leap 15.0 -- ASUS g75vw KDE leap 15.0 -- ASUS g750JZ Optimus KDE leap 15.1 -- acer aspire s13 win 10 home -- HP Omen win 10 home - scan EPSON V500 - Brother HL2250DN - Samsung CLP-325W

  2. #2
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,270

    Default Re: SUSEFIREWALL - How to forbid specific message in systemd-journald

    Quote Originally Posted by jcdole View Post

    I want to remove/hide/delete all messages in systemd-journald concerning "from 192.168.1.230 to 192.168.1.10:514" if they are not critical.
    I guess the first thing you have to do is to define what is "critical" and what not and how that can be categorized in a computer program. I doubt if you can see on the level of a firewall (that works on packets, not on their contents) what is what you value as critical.
    Henk van Velden

  3. #3
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,394
    Blog Entries
    2

    Default Re: SUSEFIREWALL - How to forbid specific message in systemd-journald

    As for priority, you can easily specify only those entries assigned standard syslog priorities and above with the -p and -b flags, for instance

    The following will display entries with assigned priority error, critical and emergency priorities
    Code:
    journalctl -p err -b
    The standard syslog priorities are as follows listing highest priority first
    Code:
    0: emerg
    1: alert
    2: crit
    3: err
    4: warning
    5: notice
    6: info
    7: debug
    The above might be sufficient for what you want to do, you might see a lot of "extra" messages, maybe not.

    As for excluding based on a text string, I don't know if you can do that. You can specify your output by Unit, Process, User or GroupID but I don't know if there are inverse options for each of those.

    You could probably awk or sed the output, but that would probably be cumbersome because if you pipe those commands, it would be post processing a chunk of log entries, not done in real time.

    I suppose the "enterprise" approach would be to export the data to a search engine or old-style syslog files, after which you would then easily query the data however you wish. Interested in that? I can update my Wiki pages on running Elasticsearch on openSUSE (Haven't updated in a long time).

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  4. #4
    Join Date
    Jun 2008
    Location
    South-West France
    Posts
    1,069

    Default Re: SUSEFIREWALL - How to forbid specific message in systemd-journald

    Quote Originally Posted by hcvv View Post
    I guess the first thing you have to do is to define what is "critical" and what not and how that can be categorized in a computer program. I doubt if you can see on the level of a firewall (that works on packets, not on their contents) what is what you value as critical.
    "critical" is yast2 firewall dropdownlistbox options
    Thanks for helping. JCD
    __________
    server leap 15.0 -- ASUS g75vw KDE leap 15.0 -- ASUS g750JZ Optimus KDE leap 15.1 -- acer aspire s13 win 10 home -- HP Omen win 10 home - scan EPSON V500 - Brother HL2250DN - Samsung CLP-325W

  5. #5
    Join Date
    Jun 2008
    Location
    South-West France
    Posts
    1,069

    Default Re: SUSEFIREWALL - How to forbid specific message in systemd-journald

    Quote Originally Posted by tsu2 View Post
    .................
    TSU
    I know how to filter query on systemd journal.
    I am searching rules to discard messages before they are copied into systemd journal.
    Thanks for helping. JCD
    __________
    server leap 15.0 -- ASUS g75vw KDE leap 15.0 -- ASUS g750JZ Optimus KDE leap 15.1 -- acer aspire s13 win 10 home -- HP Omen win 10 home - scan EPSON V500 - Brother HL2250DN - Samsung CLP-325W

  6. #6
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,270

    Default Re: SUSEFIREWALL - How to forbid specific message in systemd-journald

    Quote Originally Posted by jcdole View Post
    "critical" is yast2 firewall dropdownlistbox options
    With my remarks, I am only trying to help you in defining your goal in technical terms.

    It is not me that you have to explain that (nevertheless thanks), but to your "solution". What is tthe interface you are going to use? Some configuration of journald? I see no way of filtering what goes to systemd-journald in it's man page. IMHO the filtering, what to log and what not, should be done at the source of the loging.

    BTW I can not find those dropdownlistbox options, but that can be due to te fact that I have the SuSEfirewall switched off.
    Apart from that I do not see the connection between the firewall on your system and the fact that you do not want some packages send from another system to your logging, being stored. The firewall will of course only allow all those packages or none.
    Henk van Velden

  7. #7
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,394
    Blog Entries
    2

    Default Re: SUSEFIREWALL - How to forbid specific message in systemd-journald

    Quote Originally Posted by jcdole View Post
    I know how to filter query on systemd journal.
    I am searching rules to discard messages before they are copied into systemd journal.
    ?? - A fundamental feature of the Journal is that it's not supposed to filter incoming, it's supposed to store "everything" to be as informative as possible.

    You <might> be able to filter at the source, but again that is contrary to the basic idea of storing everything you might need.

    You might consider an "enterprise" solution to syslog aggregation, it makes more sense to filter at the next level when you have enormously more data to analyze, so you <might> want to narrow down what you want to analyze. The diff in this concept is that you aren't discarding all records so if you want to modify your analysis, the data hasn't been lost.

    IMO,
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  8. #8
    Join Date
    Jun 2008
    Location
    South-West France
    Posts
    1,069

    Default Re: SUSEFIREWALL - How to forbid specific message in systemd-journald

    Quote Originally Posted by tsu2 View Post
    ?? - ......

    IMO,
    TSU
    And within the firewall, no possibilities ?
    Thanks for helping. JCD
    __________
    server leap 15.0 -- ASUS g75vw KDE leap 15.0 -- ASUS g750JZ Optimus KDE leap 15.1 -- acer aspire s13 win 10 home -- HP Omen win 10 home - scan EPSON V500 - Brother HL2250DN - Samsung CLP-325W

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •