[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 629
  • Last Modified:

centos 5.6 iptable logging of port 110 to /var/log 110.log and logging of port 25 to /var/log/25.log

I am trying to get a box running centos 5.6 to log all connections to port 110 and 25 to separate logs in /var/log.  I dont want to change any of the current logging already being done.  I have found articles like:
http://www.cyberciti.biz/tips/force-iptables-to-log-messages-to-a-different-log-file.html
http://www.linuxquestions.org/questions/linux-security-4/iptables-logging-385165/
http://blog.shadypixel.com/log-iptables-messages-to-a-separate-file-with-rsyslog/
 which point in the direction of where i want to go(especially #1).  I need step - by - step
1. vi /etc/aaa.config
2. add line  bla bla bla
3. restart /etc/init.d/bla restart
4. vi iptables
5. add bla bla bla     --for logging prot 110 connections to /var/log/110.log
6. add bla bla bla     ---for logging port 25 connections to /var/log25.log

there should be some sort of log rotation for this also 7 day rotation.
this is at the bottom of one of the links and i think should work:

Configure iptables Log Rotation

Finally, since we’re logging to a new file, it’s useful to create a log rotation rule. Create a file /etc/logrotate.d/iptables with the following contents:

/var/log/iptables.log
{
      rotate 7
      daily
      missingok
      notifempty
      delaycompress
      compress
      postrotate
            invoke-rc.d rsyslog reload > /dev/null
      endscript
}

The preceding script tells logrotate to rotate the firewall log daily and keep logs from the past seven days.
0
knightdogs
Asked:
knightdogs
  • 5
  • 4
  • 2
1 Solution
 
nociSoftware EngineerCommented:
The Linux kernel (and other tools)  use the syslog mechanism to log issues.

You can select the fascility & severity when you issue a log statement.
Any syslog server can discriminate per fascility.severity to log files.

So as you found out you need to configure iptables with the right info & syslog to drop it in a file.
Depending on what you have now a such detail instructions could be written.

Maybe there is a better way. Try syslog-ng as the syslog of choice.

There you can create filters and attach a source through a filter to a destination.
The source can be the kernel log
The filter can be a match string for DPT=110 and DPT=25 resp.
The output files can be made as you which or even with a date/time stamp in the name with renewal in syslog-ng. Or just drop them in a database, then you can select on all kinds of criteria...
0
 
farzanjCommented:
There are many different ways of creating separate logging.

1.  iptables as you mentioned.
2.  Service itself.  For example SMTP program like sendmail or postfix may be configured to produce separate logs.
3.  TCP wrappers can also be used to produce separate logging. It is easy to configure but the daemon should support TCP wrappers.
4.  Xinet just like TCP wrappers.
0
 
knightdogsAuthor Commented:
I need step - by - step
1. vi /etc/aaa.config
2. add line  bla bla bla
3. restart /etc/init.d/bla restart
4. vi iptables
5. add bla bla bla     --for logging prot 110 connections to /var/log/110.log
6. add bla bla bla     ---for logging port 25 connections to /var/log25.log

there should be some sort of log rotation for this also 7 day rotation.
this is at the bottom of one of the links and i think should work:

Configure iptables Log Rotation

Finally, since we’re logging to a new file, it’s useful to create a log rotation rule. Create a file /etc/logrotate.d/iptables with the following contents:

/var/log/iptables.log
{
      rotate 7
      daily
      missingok
      notifempty
      delaycompress
      compress
      postrotate
            invoke-rc.d rsyslog reload > /dev/null
      endscript
}

The preceding script tells logrotate to rotate the firewall log daily and keep logs from the past seven days.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
nociSoftware EngineerCommented:
Is this home work or what.
It really, really looks like it is.

If you known how to ask this you can find the finish the task with the information given.

0
 
knightdogsAuthor Commented:
No this is not home work.  
The things im up against are
1-this is on a production server
2-I have made changes before thinking they are "Easy" only to find out i opened up the server to a huge foot print of vulnerabilities
3-The article(#1) was done by" Vivek Gite on October 3, 2006 ", OS's change and procedures change very fast, what was done one way in 2006 might be totally wrong now
4-Some of the examples I have looked at say
vi /etc/syslog.conf
Append following line
kern.warning /var/log/iptables.log

and otheres say
vi /etc/syslog.conf
Append following line
kern.=debug     /var/log/iptables.log

which one is right (back to this is a production machine so i cant just be gussing, changing stuff and hoping for the best,,,,,,)

5. is the logging part correct?

I am sorry it sounds like home work and really easy to you, to some of us the path down Linux is a little more rocky than others.
0
 
knightdogsAuthor Commented:
I guess i could try to show my age......
let me see if i can answer this from my BB......

(-;
0
 
farzanjCommented:
What SMTP and POP daemons are you using?  Sendmail and Dovecot?
0
 
knightdogsAuthor Commented:
postfix
0
 
nociSoftware EngineerCommented:
Postfix is SMTP, what is the POP server?
0
 
nociSoftware EngineerCommented:
Ok so you need to know more.
And you definitely need a test system (can be run in a virtual machine).

3) a lot of software still works the same.. but the manuals are mostly in man,

syslog has a few options (can be found through: man 5 syslog.conf)

4) syslog config

[fascility].[level]
fascility is stuff like mail, kern... these are hardcoded names.
level can be *, X or =X  or !X where X = (debug, info, warn, err, crit)
X means the level and higher (so mention info yields info, warning, error & crit)
=X mean exact that level  
!X means not that level.


Append following line
kern.warning /var/log/iptables.log              #- so log all kernel warnings , errors, & criticals to iptables.log & flush
kern.=debug     /var/log/iptables.log          #- log kernel debug only to iptables.log

it depends on the iptables statements used
man iptables searching for the LOG target yields:

   LOG
       Turn  on  kernel logging of matching packets.  When this option is set for a rule, the Linux kernel will
       print some information on all matching packets (like most IP header fields) via the kernel log (where
       it can be read with dmesg or syslogd(8)).  This is a "non-terminating target", i.e. rule traversal continues
       at the next rule.  So if you want to LOG the packets you refuse, use two separate rules with  the
       same matching criteria, first using target LOG then DROP (or REJECT).

       --log-level level
              Level of logging (numeric or see syslog.conf(5)).

The fascility = kern by virtue of the kernel log buffer.
the level can be set. by selecting debug you can achieve logging using the debug level with --log-level debug on an iptables LOG statement. (last line in item 4)

5) easy well not exactly.. but in 30 years in ICT you tend to pick something up.
But even then knowing & understanding what you intend to do is way more valuable that trying to demanding some flawless installation script.
It's allways a good practice to backup a certian config file before you change it. So changes can be undone.
0
 
nociSoftware EngineerCommented:
any more questions?
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 5
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now