I installed the package "syslog-ng", replacing the package "sysklogd".
After this, my kernel logs (including my "iptables" logs) no longer
went to /var/log/{kern,debug,messages}, or any other file in /var/log.
Syslog-ng would log the usual daemon messages.
After spending 5 hours alterning the new /etc/syslog-ng/syslog-ng.conf,
I saw that my Debian Linux needed only a reboot [aka Windows].
Actually, I didn't reboot, I ran
/etc/rc2.d/S10syslog-ng stop
/etc/rc2.d/S11klogd stop
/etc/rc2.d/S10syslog-ng start
/etc/rc2.d/S11klogd start
Normally, one would restart these in /etc/init.d,
which I had been futily doing, but the start order
seemed necessary from /etc/rc2.d .
The two packages syslog-ng [or sysklogd] and klogd,
as the documentation says, work closely with each other.
The package klogd sends kernel logs
(including my wanted iptables firewall logs) to the syslog daemon.
As long as I have the pulpit, I'll comment on syslog-ng a little more,
and elucidate some documentation.
In several ways, syslog-ng eases my logging.
a. My firewall messages cluttered my /var/log files
almost to uselessness.
Since my firewall rules logged with options like,
-j LOG --log-level info --log-prefix "FIREWALL"
then every syslog message included the string "FIREWALL".
Knowing this, I added three lines to /etc/syslog-ng/syslog-ng.conf,
including
filter f_firewall { match("FIREWALL"); };
With the following additional lines,
destination firewall { file("/var/log/firewall.log" \
owner("root") group("adm") perm(0640)); };
log { source(src); filter(f_firewall); destination(firewall); \
flags(final); };
all my iptables "FIREWALL" logging went to the file
/var/log/firewall.log.
Notice the "flags(final)", which prevents looking at
further "log" rules for an incoming matched message
[after looking at the syslog-ng documentation cross-eyed,
one finally sees how to write this option].
My iptables firewall logs now go to ONLY one file---wonderful.
b. Before, syslog messages were repeated across
several files in /etc/log/.
While this helps the administrator see logs several ways,
including time-sequenced messages in /var/log/syslog,
many of my log files became unuseable,
having over 1 million lines after 1 week's logging.
Using many "flags(final)" as above,
I need see no duplicate log messages.
Additional comment:
One default configuration line had,
source src { unix-dgram("/dev/log"); internal(); };
The syslog-ng documentation
in /usr/share/doc/syslog-ng/sgml/syslog-ng.ps.gz
said linux uses SOCK_STREAM while BSD operating systems use SOCK_DGRAM,
which lead me to wrongly attempt changing this line to "unix-stream",
as several other people on-the-web also attempted.
Additionally, the syslog-ng documentation didn't tell if the above
"source" entry represented,
unix-dgram AND internal
unix-dgram OR internal
It represents the latter,
logs coming from either unix-dgram OR internal.
This "internal()" was necessary to get kernel logs processed
by syslog-ng.
This syslog-ng package is Linux-candy.
--
Jameson C. Burt, NJ9L Fairfax, Virginia, USA
[EMAIL PROTECTED] http://www.coost.com
(202) 690-0380 (work)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
