Re: [PLUG] Syslog Question

Stephen Gran on 8 Mar 2008 16:15:56 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Syslog Question

From: Stephen Gran <steve@lobefin.net>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] Syslog Question

Date: Sun, 9 Mar 2008 00:15:47 +0000

Mail-followup-to: plug@lists.phillylinux.org

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

User-agent: Mutt/1.5.13 (2006-08-11)

On Sat, Mar 08, 2008 at 05:19:10PM -0500, Brian Vagnoni said: > Thanks Steven; > > I'm testing out Manage Engines Firewall Analyzer. It takes syslog > input from my Sonicwall firewall. I just want to make sure that it is > getting the all of the correct information. Ok, that is much clearer, thanks. I am assuming that this means that the sonicwall either writes a log that this thing reads, or the sonicwall sends (via rsyslog) to the machine where that thing is? If so, and what you are interested in capturing is firewall messages, look at how they are logged and make sure the sonicwall is configured appropriately. Assuming the sonicwall is linux-a-like, log levels are defined in /usr/src/linux-headers-2.6.22-3/include/linux/kernel.h, and are: #define KERN_EMERG "<0>" /* system is unusable */ #define KERN_ALERT "<1>" /* action must be taken immediately */ #define KERN_CRIT "<2>" /* critical conditions */ #define KERN_ERR "<3>" /* error conditions */ #define KERN_WARNING "<4>" /* warning conditions */ #define KERN_NOTICE "<5>" /* normal but significant condition */ #define KERN_INFO "<6>" /* informational */ #define KERN_DEBUG "<7>" /* debug-level messages */ Which unsurprisingly correspond to the syslog priorities. klogd will read messages from the kernel of the form <n>message and send them to syslog with facility kernel, priority n. Given this: static struct nf_loginfo default_loginfo = { .type = NF_LOG_TYPE_LOG, .u = { .log = { .level = 0, .logflags = NF_LOG_MASK, }, }, }; it appears that netfilter logs at priority 0 by default, whic seems a bit extreme for my tastes. So the short answer is: I don't think you can miss firewall logs unless you try fairly hard. -- -------------------------------------------------------------------------- | Stephen Gran | Misuse may cause suffocation. | | steve@lobefin.net | | | http://www.lobefin.net/~steve | | --------------------------------------------------------------------------
Attachment: signature.asc
Description: Digital signature

___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:

Re: [PLUG] Syslog Question
From: Stephen Gran <steve@lobefin.net>

References:

Re: [PLUG] Syslog Question
From: "Brian Vagnoni" <bvagnoni@v-system.net>

Prev by Date: Re: [PLUG] Proxy

Next by Date: Re: [PLUG] Syslog Question

Previous by thread: Re: [PLUG] Syslog Question

Next by thread: Re: [PLUG] Syslog Question

Index(es):

Date

Thread