Stephen Gran on 8 Mar 2008 16:15:56 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Syslog Question

On Sat, Mar 08, 2008 at 05:19:10PM -0500, Brian Vagnoni said:
> Thanks Steven;
> I'm testing out Manage Engines Firewall Analyzer. It takes syslog
> input from my Sonicwall firewall. I just want to make sure that it is
> getting the all of the correct information.

Ok, that is much clearer, thanks.  I am assuming that this means that
the sonicwall either writes a log that this thing reads, or the
sonicwall sends (via rsyslog) to the machine where that thing is?

If so, and what you are interested in capturing is firewall messages,
look at how they are logged and make sure the sonicwall is configured
appropriately.  Assuming the sonicwall is linux-a-like, log levels
are defined in /usr/src/linux-headers-2.6.22-3/include/linux/kernel.h,
and are:

#define KERN_EMERG      "<0>"   /* system is unusable                */
#define KERN_ALERT      "<1>"   /* action must be taken immediately  */
#define KERN_CRIT       "<2>"   /* critical conditions               */
#define KERN_ERR        "<3>"   /* error conditions                  */
#define KERN_WARNING    "<4>"   /* warning conditions                */
#define KERN_NOTICE     "<5>"   /* normal but significant condition  */
#define KERN_INFO       "<6>"   /* informational                     */
#define KERN_DEBUG      "<7>"   /* debug-level messages              */

Which unsurprisingly correspond to the syslog priorities.  klogd will 
read messages from the kernel of the form 

and send them to syslog with facility kernel, priority n.

Given this:
static struct nf_loginfo default_loginfo = {
        .type   = NF_LOG_TYPE_LOG,
        .u = {
                .log = {
                        .level    = 0,
                        .logflags = NF_LOG_MASK,

it appears that netfilter logs at priority 0 by default, whic seems a
bit extreme for my tastes.  So the short answer is: I don't think you
can miss firewall logs unless you try fairly hard.
|  Stephen Gran                  | Misuse may cause suffocation.           |
|             |                                         |
| |                                         |

Attachment: signature.asc
Description: Digital signature

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --