93°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • iptables not logging to syslog

    September 1, 2007

    I was scratching my head on this one for several hours before finally figuring out the solution which turned out to be ridiculously simple.

    I wanted to log all incoming tcp connections on port 25 and then drop them. I read through several guides on how to set up logging in iptables. (linuxgurus.com, linuxquestions.org)

    Seemed straightforward enough. Here are the rules I ended up with: (output from iptables-save)

    -A LOGDROP -p tcp -m limit --limit 2/sec --limit-burst 10 -j LOG --log-level 7 --log-prefix "LOGDROP: "
    -A LOGDROP -j REJECT
    ...
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -j LOGDROP
    

    Any tcp connections to port 25 should get logged and rejected. You then need to decide what to do with the logged packets, which is where /etc/syslog.conf comes in. You need something like this in /etc/syslog.conf:

    kern.=debug     /var/log/firewall
    

    Note that there must be no spaces, only tabs in that line. That line tells any kernel messages that have the "debug" level to be written to the file /var/log/firewall. The --log-prefix 7 part of the iptables rule tells iptables to set the level of the message to "debug". After changing syslog.conf, you need to restart the syslog daemon, with /etc/init.d/syslog restart:

    [root@localhost ~]# /etc/init.d/syslog restart
    Shutting down kernel logger:                               [PASSED]
    Shutting down system logger:                               [  OK  ]
    Starting system logger:                                    [  OK  ]
    Starting kernel logger:                                    [PASSED]
    

    I hadn't seen [PASSED] show up there before, but I didn't think much of it at the time.

    The problem I was having was that there was nothing in the log file. I could see the packets being logged by running dmesg, but nothing went to the file.

    I opened up syslog's startup script, /etc/init.d/syslog, and examined the part where it is supposed to start klogd, the kernel logger. It was commented out, apparently by my vps host. Here is a snippet of my startup script. The bold lines are the ones I added, the commented out ones are what was originally there

    start() {
            echo -n $"Starting system logger: "
            daemon syslogd $SYSLOGD_OPTIONS
            RETVAL=$?
            echo
            echo -n $"Starting kernel logger: "
            #passed klogd skipped #daemon klogd $KLOGD_OPTIONS
            <b>daemon klogd $KLOGD_OPTIONS</b>
            echo
            [ $RETVAL -eq 0 ] && touch /var/lock/subsys/syslog
            return $RETVAL
    }
    stop() {
            echo -n $"Shutting down kernel logger: "
            #passed klogd skipped #killproc klogd
            <b>killproc klogd</b>
            echo
            echo -n $"Shutting down system logger: "
            killproc syslogd
            RETVAL=$?
            echo
            [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/syslog
            return $RETVAL
    }
    

    According to some people here, it is not necessary to log kernel messages, and it significantly increases the loadavg. I have already been monitoring my loadavgs on my servers, so I'll wait a week and see if there is any significant change.

    Of course, now that I realize klogd wasn't even started, this whole thing seems pretty silly.

    Sat, Sep 1, 2007 1:10pm -07:00 #troubleshooting
Posted in /articles

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv