Julien Vehent on 31 Jan 2011 13:24:06 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] iptables question


On 01/31/2011 03:23 PM, Robert Spangler wrote:
On Monday 31 January 2011 14:57, you wrote:

  On 1/31/2011 2:16 PM, Robert Spangler wrote:
  >  While logging is good thing, to much logging is a nightmare.  For the
  >  simple reason you fill up your logs with information that is useless and
  >  going over the logs is a task because you have too much useless
  >  information in them. What do you care if someone is trying to log into
  >  port(s) you don't have open?

  I'm confused what you mean by 'open ports' - Do you mean something that
  has a service listening on it, or a port open in iptables?

You can have many programs listening on the system, this can be checked with
netstat, but open to me mean open to the public.  In this case what is
allowed to pass through the firewall.


This is the eternal debate between what you should and should not log. Every sysadmin has a different answer :) I personally monitor bandwidth usage using graphs sorted per traffic type (tcgraph). If something is wrong, I investigate the logs, including the huge pile of netfilter logs, most of it being useless (that's what grep is for).

I've been wanting to write a parsing script for a while, to generate a rrd of the dropped packets (/connections). I'll do it someday.

  I pretty much don't log anything. Way too much garbage and 99% of the
  time there is a problem it's reproducible when I can watch it with
tcpdump.

I have previous bad experiences with non-reproductible problems that I spend hours diagnosing, because the firewall logs were lost (48h retention). I prefer to have a few gigs dedicated to storing the logs, and a good logrotate policy.


Julien
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug