Firewall logs are in /var/log/{firewall,warn,messages} - clutter

nrickert · March 25, 2011, 3:31pm

I suspect this is an initial configuration bug. All firewall logs seem to be going to all
three files. That causes a lot of clutter in the log files, and makes it difficult to see whether there are any serious problems being logged.

glistwan · March 25, 2011, 4:09pm

Did You configure the firewall using YaST ? If so what did You configure it to log ?

If not sure You could post output of this command here :

sudo iptables -avL

Best regards,
Greg

nrickert · March 25, 2011, 5:20pm

I configured the firewall to allow inbound smtp, ssh and syslog. I don’t believe that I configured anything related to firewall logging - I’m pretty sure that I left that at the default setting. I am seeing the same duplicate (triplicate) logging on a laptop, where the only firewall change was to allow inbound ssh.


# iptables -avL
iptables v1.4.10: option `iptables' requires an argument
Try `iptables -h' or 'iptables --help' for more information.

(Somehow, I don’t think that was the output you were looking for).

nrickert · March 25, 2011, 8:49pm

I am currently looking at “/etc/rsyslog.conf” in at attempt to understand what is happening.

Toward the top of that file, I find:


#
# firewall messages into separate file and stop their further processing
#
if      ($syslogfacility-text == 'kern') and \
        ($msg contains 'IN=' and $msg contains 'OUT=') \
then    -/var/log/firewall
&       ~

If I understand it correctly, that last line shown (the “& ~”) is supposed to discard (throw away) all firewall log messages after they have been logged to “/var/log/firewall”. It looks to me as if that isn’t working, as if they are not being discarded. I am suspecting that this is a bug.

I would appreciate some checking, particularly by folk who are very familiar with rsyslog.conf .

Thanks.

glistwan · March 25, 2011, 8:57pm

nrickert:

I configured the firewall to allow inbound smtp, ssh and syslog. I don’t believe that I configured anything related to firewall logging - I’m pretty sure that I left that at the default setting. I am seeing the same duplicate (triplicate) logging on a laptop, where the only firewall change was to allow inbound ssh.
# iptables -avL
iptables v1.4.10: option `iptables' requires an argument
Try `iptables -h' or 'iptables --help' for more information.
(Somehow, I don’t think that was the output you were looking for).

Yes you’re right sorry about that this one should work :

sudo SuSEfirewall2 status

But I guess it will be easiest to look in YaST. Particularly the window :
SUSE Paste

This one is in polish sorry about that Basically there are two combo boxes. One that configures the level of logging for accepted packets and the other one level of logging for dropped packets. On my screen shot the first combo box is configured to don’t log accepted packets at all and the second one says log only critical. My guess is You might have log everything for both accepted and dropped packets.

Best regards,
Greg

glistwan · March 25, 2011, 8:59pm

nrickert:

I am currently looking at “/etc/rsyslog.conf” in at attempt to understand what is happening.

Toward the top of that file, I find:
#
# firewall messages into separate file and stop their further processing
#
if      ($syslogfacility-text == 'kern') and \
        ($msg contains 'IN=' and $msg contains 'OUT=') \
then    -/var/log/firewall
&       ~
If I understand it correctly, that last line shown (the “& ~”) is supposed to discard (throw away) all firewall log messages after they have been logged to “/var/log/firewall”. It looks to me as if that isn’t working, as if they are not being discarded. I am suspecting that this is a bug.

I would appreciate some checking, particularly by folk who are very familiar with rsyslog.conf .

Thanks.

It looks the same for me here so I guess that’s not the problem.

Best regards,
Greg

nrickert · March 25, 2011, 9:55pm

Both option boxes show “Log only critical”.

nrickert · March 25, 2011, 10:03pm

I wasn’t suggesting that the configuration is the problem. Rather, I was suggesting that the rsyslogd daemon was not honoring that configuration.

Are you also seeing firewall logs replicated in logfiles “warn” and “messages”?

I seem to recall that with 11.3, the messages log file was being rotated every few months. Now it is being rotated every few days. I am in the habit of using “tail /var/log/messages” to get a picture of what has been happening recently. But now that only shows me firewall logs.

glistwan · March 25, 2011, 10:06pm

This should be fine as far as I can tell. I wonder what would happen if You set both to not log anything at all ?

The last resort is the CLI command that shows the full status of active firewall config. Look for anything containing LOG there.

This is how it looks for me and logging works as I expect it to work :

grzes@opensuse:~> sudo SuSEfirewall2 status | grep LOG
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET ' 
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING ' 
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 
    3  1131 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 ctstate NEW LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 
    0     0 LOG        all      *      *       ::/0                 ::/0                limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET ' 
    0     0 LOG        all      *      *       ::/0                 ::/0                limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING ' 
    0     0 LOG        tcp      *      *       ::/0                 ::/0                limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 
    0     0 LOG        icmpv6    *      *       ::/0                 ::/0                limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 
    0     0 LOG        udp      *      *       ::/0                 ::/0                limit: avg 3/min burst 5 ctstate NEW LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '

Best regards,
Greg

glistwan · March 25, 2011, 10:10pm

Yes I see some firewall logs in messages and warn but there are very few of them in those files.

Best regards,
Greg

nrickert · March 25, 2011, 11:39pm

I am probably going to file a bug report on this.

I just checked my laptop, and it is duplicating NetworkManager logs in “/var/log/messages” (in addition to duplicating firewall logs). Again, if I am understanding the configuration file correctly, those should have been logged in “/var/log/NetworkManager” but nowhere else.

glistwan · March 26, 2011, 7:18am

I think You’re right but my knowledge on syslog is limited to say the least so I’m sure I can’t help You out. Good luck in resolving the problem.

Best regards,
Greg

nrickert · March 26, 2011, 12:07pm

I just checked the “rsyslog” site, and they list this as a bug fixed in the last few days:


bugfix: discard action did not work under some circumstances
fixes: http://bugzilla.adiscon.com/show_bug.cgi?id=217

(quoted from the changelog at http://www.rsyslog.com/changelog-for-5-6-5-v5-stable/)

nrickert · March 26, 2011, 4:15pm

Apparently, somebody has already filed a bug report:
https://bugzilla.novell.com/show_bug.cgi?id=676041

glistwan · March 26, 2011, 10:04pm

Thanks a lot for the feedback.

Best regards,
Greg