iptables LOG not in syslog
William Hunt
I have a slackware-12.2 VPS installed under OpenVZ (@ChainHost.com).
iptables -j LOG rules load correctly.
iptables -L shows counts correctly accumulating.
/sbin/dmesg shows LOG messages are correctly generated.
Nothing shows in /var/log/syslog.
/etc/syslog.conf is: "*.*;mail.none; /var/log/syslog"
Other apps correctly write syslog, example: logger, imapd, sshd, ...
Any clues?
Thanks!
--
William Hunt, Portland Oregon USA
Lew Pitcher
> Hi, All:
>
> I have a slackware-12.2 VPS installed under OpenVZ (@ChainHost.com).
>
> iptables -j LOG rules load correctly.
> iptables -L shows counts correctly accumulating.
> /sbin/dmesg shows LOG messages are correctly generated.
> Nothing shows in /var/log/syslog.
> /etc/syslog.conf is: "*.*;mail.none; /var/log/syslog"
> Other apps correctly write syslog, example: logger, imapd, sshd, ...
>
> Any clues?
Not from what you've posted so far.
First off, show us your iptables rules. We need to see both the rules that
invoke the -j LOG table, /and/ the rules that branch or fall-through to
those -j LOG rules. This will show us what options you log with, and what
it is you log (or not).
Do you use the --log-prefix option on your -j LOG rules? A unique value here
makes it easy to locate the logged values in your syslog.
Second, are you looking in the right log? The Slackware default syslog.conf
rules read (in part)...
# Log anything 'info' or higher, but lower than 'warn'.
# Exclude authpriv, cron, mail, and news. These are logged elsewhere.
*.info;*.!warn;\
authpriv.none;cron.none;mail.none;news.none -/var/log/messages
and with no overriding syslog configuration, this causes all netfilter
messages to log to /var/log/messages.
HTH
--
Lew Pitcher
Master Codewright & JOAT-in-training | Registered Linux User #112576
Me: http://pitcher.digitalfreehold.ca/ | Just Linux: http://justlinux.ca/
---------- Slackware - Because I know what I'm doing. ------
John K. Herreshoff
Mine shows up in messages. Did you check that?
John.
--
Using the Laptop at home.
Lew Pitcher
Warning:
Lew Pitcher, who posts to this newsgroup, is a domain thief.
Read the full story at http://www.lewpitcher.ca
William Hunt
> On April 11, 2010 09:48, in alt.os.linux.slackware, w...@prv8.net wrote:
>> I have a slackware-12.2 VPS installed under OpenVZ (@ChainHost.com).
>> iptables -j LOG rules load correctly.
>> iptables -L shows counts correctly accumulating.
>> /sbin/dmesg shows LOG messages are correctly generated.
>> Nothing shows in /var/log/syslog.
>> /etc/syslog.conf is: "*.*;mail.none; /var/log/syslog"
>> Other apps correctly write syslog, example: logger, imapd, sshd, ...
>> Any clues?
> Not from what you've posted so far.
> First off, show us your iptables rules. We need to see both the rules that
> invoke the -j LOG table, /and/ the rules that branch or fall-through to
> those -j LOG rules. This will show us what options you log with, and what
> it is you log (or not).
[...]
I don't think the problem is with my script, this has been running
for many years on other slackware hosts, and fails only now with
this most recent move to 12.2 under OpenVZ. As noted OP, hit
counts correctly accumulate and appropriate output appears in the
kernel ringbuffer as shown by /sbin/dmesg.
The script which builds my tables is itself 500+ lines, so here
is just a typical snippet, LOG'ing and DROP'ing telnet probes:
#------------------
iptables -N telnet
iptables -A telnet -j LOG --log-prefix "(DROP TELNET) "
iptables -A telnet -j DROP
iptables -A INPUT -j telnet -p tcp --dport 23
#------------------
>
> Second, are you looking in the right log? The Slackware default syslog.conf
> rules read (in part)...
[...]
I use a very simple /etc/syslog.conf, in full:
#------------------
*.*;mail.none; /var/log/syslog
mail.* /var/log/mail
#------------------
> HTH
>
Thanks, but no new clue :*)
William Hunt
> William Hunt wrote:
[...]
>> Nothing shows in /var/log/syslog.
>> /etc/syslog.conf is: "*.*;mail.none; /var/log/syslog"
>> Other apps correctly write syslog, example: logger, imapd, sshd, ...
>
> Mine shows up in messages. Did you check that?
> John.
As noted IOP, I use a very simple /etc/syslog.conf. In full:
#---------------
*.*;mail.none; /var/log/syslog
mail.* /var/log/mail
#---------------
Thus, everything goes to /var/log/syslog, except facilty mail.
Just to be pedantic, I also looked in /var/log/mail: not there, good.
but the messages do spill out of /proc/kmsg and /sbin/dmesg.
Any cluee ?
William Hunt
> Warning:
> Lew Pitcher, who posts to this newsgroup, is a domain thief.
Everyone already knows the full story:
Lew is a good guy and RM is a liar & an f* head case.
No Clue there. oh well.
Grant
>Hi, All:
>
>I have a slackware-12.2 VPS installed under OpenVZ (@ChainHost.com).
>
>iptables -j LOG rules load correctly.
>iptables -L shows counts correctly accumulating.
>/sbin/dmesg shows LOG messages are correctly generated.
>Nothing shows in /var/log/syslog.
>/etc/syslog.conf is: "*.*;mail.none; /var/log/syslog"
>Other apps correctly write syslog, example: logger, imapd, sshd, ...
>
>Any clues?
What log-level are you using? In my firewall.conf I have:
# firewall logging
# `````````````````
# set log_level, see 'man syslog.conf' for details
#
log_level info # -> /var/log/messages
#
In the rc.firewall script, I have:
...
# use log level from configuration file, build log target shortcut 'macro'
do_log="LOG --log-level $log_level --log-prefix "
...
iptables -A serv_inp -p tcp --dport $port \
-j $do_log "JLE:inp:okay $name "
...
Grant.
--
http://bugs.id.au/
Grant
>On Sun, 11 Apr 2010, Roger Maynard, masquerading as Lew Pitcher wrote:
>> Warning:
>> Lew Pitcher, who posts to this newsgroup, is a domain thief.
>> Read the full story at http://www.roger.maynard.is.an.idiot.ca
>
>Everyone already knows the full story:
>Lew is a good guy and RM is a liar & an f* head case.
>No Clue there. oh well.
Not even the odd funny post these daze, did rm take ECT option?
Grant.
--
http://bugs.id.au/
Lew Pitcher
Perhaps RM is having problems in his new line of work; he /claims/ to be a
taxi driver, according to the LinkedIn link he sent to me. Of course,
RM /claims/ a lot of things, most of which are (at the very least) untrue.
buck
news:Pine.LNX.4.64.10...@worker.prv8.net:
> *.*;mail.none; /var/log/syslog
try setting
kern.=info /var/log/iptables
and reastarting syslogd just to see what happens?
--
buck
William Hunt
>
> try setting
> kern.=info /var/log/iptables
> and reastarting syslogd just to see what happens?
> --
> buck
Okay, tried that now, too.
But still nothing shows in this new /var/log/iptables.
Symptoms remain unchanged, LOG messages flow out of
/proc/kmsg just fine, shown by dmesg just fine, but
but nada thru syslogd, not so good.
Any clues ?
I -suspect- the key diagnostic clue given in OP is 'OpenVZ' ...
ie., kernel boogered by host provider. I found this
distrubing little factoid in /proc/version:
#------------
Linux version 2.6.18-164.2.1.el5.028stab066.10 (root@rhel5-64-build) (gcc version 4.1.2 20070626 (Red Hat 4.1.2-14)) #1 SMP Sat Dec 12 18:52:53 MSK 2009
#------------
This does not give confidence to one raised into the Light
of Slackware.
I smell kernel patch hell.
buck
> On Mon, 12 Apr 2010, buck wrote:
>> William Hunt <w...@prv8.net> wrote in
>>
>>> *.*;mail.none; /var/log/syslog
>>
>> try setting
>> kern.=info /var/log/iptables
>> and reastarting syslogd just to see what happens?
>> --
>> buck
>
> Okay, tried that now, too.
> But still nothing shows in this new /var/log/iptables.
>
> Symptoms remain unchanged, LOG messages flow out of
> /proc/kmsg just fine, shown by dmesg just fine, but
> but nada thru syslogd, not so good.
You have proven that iptables is not the culprit because the messages
appear as stated
> Any clues ?
syslogd must also be OK because you're getting other logs.
> I -suspect- the key diagnostic clue given in OP is 'OpenVZ' ...
> ie., kernel boogered by host provider. I found this
> distrubing little factoid in /proc/version:
> #------------
> Linux version 2.6.18-164.2.1.el5.028stab066.10 (root@rhel5-64-build)
> (gcc version 4.1.2 20070626 (Red Hat 4.1.2-14)) #1 SMP Sat Dec 12
> 18:52:53 MSK 2009 #------------
Although I can't imagine what could have been done to the kernel that
would specifically muck with iptables logging, you've eliminated
iptables and syslog/klog as the Bad Boy. so the problem is somewhere
else. Just _where_ else may or may not be the kernel, but I guess it
is a logical next step for troubleshooting if you're determined to get
the logging working. I don't envy you.
--
buck
buck
> you've eliminated
> iptables and syslog/klog as the Bad Boy.
I take that back. Are you sure klogd is running and correctly started?
--
buck
Eef Hartman
> Linux version 2.6.18-164.2.1.el5.028stab066.10 (root@rhel5-64-build)
As you can see that is a reasonably (though some patches out-of-date)
recent Red Hat Enterprise Linux (cq CentOS) 5.4 kernel (current version
is 2.6.18-164.15.1.el5 - note the higher number after the 164).
The .el5 means Enterprise Linux 5 version, the numbers between the -
and that are the Red Hat internal revision/build numbers.
That one _is_ still a 2.6.18 kernel, but with lots of security and
bugfix patches BACKported from higher versioned (newer) kernel releases,
so its source doesn't have too much to do anymore with a plain vanilla
2.6.18 kernel (or any higher version) anymore.
--
*******************************************************************
** Eef Hartman, Delft University of Technology, dept. SSC/ICT **
** e-mail: E.J.M....@tudelft.nl - phone: +31-15-278 82525 **
*******************************************************************
William Hunt
> William Hunt <w...@prv8.net> wrote:
>> Linux version 2.6.18-164.2.1.el5.028stab066.10 (root@rhel5-64-build)
> As you can see that is a reasonably (though some patches out-of-date)
> recent Red Hat Enterprise Linux (cq CentOS) 5.4 kernel (current version
SOLVED!
My hunch was wrong - the problem had nothing to do with
the RH patched kernel after all.
Problem was caused by /etc/rc.d/rc.syslog having comments disabling
klogd. Removing the comments and restarting rc.syslog re-enabled
klogd and now the iptables "-j LOG" messages correctly appear in
logfiles according to /etc/syslog.conf.
Solution thanks to VPS host provider's support.
Thanks to all from AOLS who offered me their good help.
William Hunt
BINGO!
Thanks much buck, that was the problem exactly.
support at host provider gave me that solution just a bit before
you did. klogd (and SMP) startup was commented out of rc.syslog ....
dunno why. I assume now that my rc.syslog was not vanilla -12.2
as I thought, and no vanilla -12.2 here to compare against.
So I still wonder why. But it's working now.
Thanks!
Lew Pitcher
Warning:
Lew Pitcher, who posts to this newsgroup, is a domain thief.
Read the full story at http://www.lewpitcher.ca