Przeniesienie logow iptables do osobnego pliku.

[Matrixx]

Witam wszystkich.
Mam na Ubuntu 16.10 zainstalowane i dzialajace uslugi:
- iptables
- usluga nazywa sie: firewall service
- plik conf nazywa sie: iptables.sh
- rsyslog
- usluga to: rsyslog.service
- plik configu to: rsyslogd
Wszystko gra i buczy tylko mieszanie logow iptables z innymi logami w lokalizacjach:
- /var/log/syslog
-/var/log/korn.log
utrudnia analize.
Pytanie.
Jak przeniesc wylacznie logi iptables do innego pliku?
Pozdro.

Ps. Tymczasem plik iptables.log w lokalizacji /var/log/iptables.log jest pusty

[pawkrol]

Zainstaluj Ulog
lub
/etc/rsyslog.d/ipt.conf

Kod: Zaznacz cały

:msg, contains, "iptables: " /var/log/iptables.log
& ~

a w iptables np:

Kod: Zaznacz cały

iptables -A FORWARD -s 192.168.56.0/24 -d 192.168.156.30 -m tcp -p tcp --dport 80 -j LOG --log-prefix "iptables: Forward ACCEPT: "

Ja polecam Uloga, bo on nie bruździ logami w dmesg.

[Matrixx]

Zeby nie zmieniac regol iptables, dalem:

Kod: Zaznacz cały

:msg, contains, "ipT4: " /var/log/iptables.log
& ~

nastepnie:

Kod: Zaznacz cały

systemctl restart rsyslog.service

usluga rsyslog status po zmianach:

Kod: Zaznacz cały

● rsyslog.service - System Logging Service
   Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2017-09-18 20:05:47 IST; 1min 14s ago
     Docs: man:rsyslogd(8)
           http://www.rsyslog.com/doc/
 Main PID: 26403 (rsyslogd)
    Tasks: 4 (limit: 4915)
   Memory: 6.9M
      CPU: 12ms
   CGroup: /system.slice/rsyslog.service
           └─26403 /usr/sbin/rsyslogd -n

Sep 18 20:05:47 mike-desktop rsyslogd[26403]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.28.0.2576a4cdf49b try http://www.rsyslog.com/e/2307 ]
Sep 18 20:05:47 mike-desktop rsyslogd[26403]: rsyslogd's groupid changed to 108
Sep 18 20:05:47 mike-desktop rsyslogd[26403]: rsyslogd's userid changed to 104
Sep 18 20:05:47 mike-desktop rsyslogd[26403]:  [origin software="rsyslogd" swVersion="8.28.0.2576a4cdf49b" x-pid="26403" x-info="http://www.rsyslog.com"] start
Sep 18 20:05:47 mike-desktop rsyslogd[26403]: Could not open output pipe '/dev/xconsole':: No such file or directory [v8.28.0.2576a4cdf49b try http://www.rsyslog.com/e/2039 ]
Sep 18 20:05:47 mike-desktop rsyslogd[26403]: action 'action 8' suspended, next retry is Mon Sep 18 20:06:17 2017 [v8.28.0.2576a4cdf49b try http://www.rsyslog.com/e/2007 ]
Sep 18 20:06:02 mike-desktop rsyslogd[26403]: file '/var/log/firewall': open error: Permission denied [v8.28.0.2576a4cdf49b try http://www.rsyslog.com/e/2433 ]
Sep 18 20:06:02 mike-desktop rsyslogd[26403]: action 'action 12' resumed (module 'builtin:omfile') [v8.28.0.2576a4cdf49b try http://www.rsyslog.com/e/2359 ]
Sep 18 20:06:02 mike-desktop rsyslogd[26403]:  message repeated 8 times: [action 'action 12' resumed (module 'builtin:omfile') [v8.28.0.2576a4cdf49b try http://www.rsyslog.com/e/2359 ]]
Sep 18 20:06:02 mike-desktop rsyslogd[26403]: action 'action 12' suspended, next retry is Mon Sep 18 20:06:32 2017 [v8.28.0.2576a4cdf49b try http://www.rsyslog.com/e/2007 ]

Zaraz sprawdze czy zapisuje do pliku.

Zzuca logi do pliku: /var/log/syslog.
Plik: /var/log/iptables.log jest nadal pusty.

[pawkrol]

To zobacz czy w ogóle rsyslog includuje ten plik

/etc/rsyslog.conf

Kod: Zaznacz cały

$IncludeConfig /etc/rsyslog.d/*.conf

Plik musi być ładowany przed regułami
auth,authpriv.*/var/log/auth.log
.
.
.

[Matrixx]

Potwierdzam, /etc/rsyslog.conf includuje te konfiguracje:

Kod: Zaznacz cały

#  /etc/rsyslog.conf	Configuration file for rsyslog.
#
#			For more information see
#			/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

if $msg contains 'input1,iptables denied,output1,ipT:' then -/var/log/firewall

#if $msg contains 'input1' then -/var/log/firewall
#if $msg contains 'iptables denied' then -/var/log/firewall
#if $msg contains 'output1' then -/var/log/firewall
if $msg contains 'ipT4' then -/var/log/iptables.log

Przepraszam ale nie rozumiem:

Plik musi być ładowany przed regułami
auth,authpriv.*/var/log/auth.log

Co mam sprawdzic, zrobic?

Ps. Zastanawiam sie czy jezeli string "ipT4" w /etc/rsyslog.conf jest tylko czescia suffiksa uzytego w skrypcie konfiguracji regol iptables to wystarczy do
dzialania? Czy tez musi byc uzyty caly suffix?

Kod: Zaznacz cały

e:

#!/bin/sh

conntrack -F

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -F
iptables -X

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "ipT4 DROP INPUT: " 
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -m limit --limit 2/min -j LOG --log-prefix "ipT4 DROP INVALID IN: "
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP



iptables -A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix "ipT4 DROP INVALID FWD: "
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP

iptables -I OUTPUT -m state -p tcp --state NEW -i eth0 -m limit --limit 1/m --limit-burst 1 -j LOG --log-uid --log-prefix "ipT4 Outbound Connection:  "
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 2/min -j LOG --log-prefix "ipT4 DROP INVALID OUT: "
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP




ip6tables -F
ip6tables -X
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

[pawkrol]

Nie musi być caly suffix. W regule masz contain czyli ma zawierać wyraz ipt4.

Jakie pliki masz w katalogu rsyslog.d?

[Matrixx]

Odrobilem lekcje.
https://unix.stackexchange.com/question ... slog-confi
Linia:

Kod: Zaznacz cały

auth,authpriv.*/var/log/auth.log 

nie istnieje w pliku:
/etc/rsyslog.conf

Kod: Zaznacz cały

  nano 2.6.3                                                                               File: /etc/rsyslog.conf                                                                                          

#  /etc/rsyslog.conf    Configuration file for rsyslog.
#
#                       For more information see
#                       /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

if $msg contains 'input1,iptables denied,output1,ipT4' then -/var/log/firewall

#if $msg contains 'input1' then -/var/log/firewall
#if $msg contains 'iptables denied' then -/var/log/firewall
#if $msg contains 'output1' then -/var/log/firewall
if $msg contains 'ipT4' then -/var/log/iptables.log

/etc/rsyslog.d/50-default.conf

Kod: Zaznacz cały

#  Default rules for rsyslog.
#
#			For more information see rsyslog.conf(5) and /etc/rsyslog.conf

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*			/var/log/auth.log
*.*;auth,authpriv.none		-/var/log/syslog
#cron.*				/var/log/cron.log
#daemon.*			-/var/log/daemon.log

#lpr.*				-/var/log/lpr.log
mail.*				-/var/log/mail.log
#user.*				-/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info			-/var/log/mail.info
#mail.warn			-/var/log/mail.warn
mail.err			/var/log/mail.err

#
# Logging for INN news system.
#
news.crit			/var/log/news/news.crit
news.err			/var/log/news/news.err
news.notice			-/var/log/news/news.notice

#
# Some "catch-all" log files.
#
#*.=debug;\
#	auth,authpriv.none;\
#	news.none;mail.none	-/var/log/debug
#*.=info;*.=notice;*.=warn;\
#	auth,authpriv.none;\
#	cron,daemon.none;\
#	mail,news.none		-/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg                                :omusrmsg:*

#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
#	news.=crit;news.=err;news.=notice;\
#	*.=debug;*.=info;\
#	*.=notice;*.=warn	/dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
# you must invoke `xconsole' with the `-file' option:
# 
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
#      busy site..
#
daemon.*;mail.*;\
	news.err;\
	*.=debug;*.=info;\
	*.=notice;*.=warn	|/dev/xconsole

/etc/rsyslog.d/ipt.conf

Kod: Zaznacz cały

:msg, contains, "ipT4: " /var/log/iptables.log
& ~

Wynik, caly czas loguje do /var/log/syslog

[pawkrol]

To przenieś te dwie linie co masz w pliku ipt.conf do pliku 50-default przed linie auth,priv...

I zakomemtuj w rsyslog.conf
if $msg contains...

[Matrixx]

Wykonane:

Kod: Zaznacz cały

#  Default rules for rsyslog.
#
#                       For more information see rsyslog.conf(5) and /etc/rsyslog.conf

#
# First some standard log files.  Log by facility.
#
:msg, contains, "ipT4: " /var/log/iptables.log
& ~
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
#cron.*                         /var/log/cron.log
#daemon.*                       -/var/log/daemon.log

#lpr.*                          -/var/log/lpr.log
mail.*                          -/var/log/mail.log
#user.*                         -/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info                      -/var/log/mail.info
#mail.warn                      -/var/log/mail.warn
mail.err                        /var/log/mail.err

#
# Logging for INN news system.
#
news.crit                       /var/log/news/news.crit
news.err                        /var/log/news/news.err
news.notice                     -/var/log/news/news.notice

#
# Some "catch-all" log files.
#
#*.=debug;\
#       auth,authpriv.none;\
#       news.none;mail.none     -/var/log/debug
#*.=info;*.=notice;*.=warn;\
#       auth,authpriv.none;\
#       cron,daemon.none;\
#       mail,news.none          -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg                                :omusrmsg:*

#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
#       news.=crit;news.=err;news.=notice;\
#       *.=debug;*.=info;\
#       *.=notice;*.=warn       /dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
# you must invoke `xconsole' with the `-file' option:
#
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
#      busy site..
#
daemon.*;mail.*;\
        news.err;\
        *.=debug;*.=info;\
        *.=notice;*.=warn       |/dev/xconsole

Kod: Zaznacz cały

#  /etc/rsyslog.conf    Configuration file for rsyslog.
#
#                       For more information see
#                       /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")

###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

if $msg contains 'input1,iptables denied,output1,ipT4' then -/var/log/firewall

#if $msg contains 'input1' then -/var/log/firewall
#if $msg contains 'iptables denied' then -/var/log/firewall
#if $msg contains 'output1' then -/var/log/firewall
#if $msg contains 'ipT4' then -/var/log/iptables.log

Wywalilem

Kod: Zaznacz cały

rm /etc/rsyslog.d/ipt.conf

Zrestartowalem

Kod: Zaznacz cały

systemctl restart rsyslog.service

Wynik, caly czas loguje do /var/log/syslog

[Morfik]

Zamiast:

Kod: Zaznacz cały

:msg, contains, "ipT4: " /var/log/iptables.log
& ~

Daj:

Kod: Zaznacz cały

if $msg contains 'ipT4: ' then -/var/log/iptables.log
& stop