# shorewall and syslog-ng -- trouble with logging

## Zorn1981

I use shorewall and I want to log the output of shorewall.

This is my syslog-ng configuration file it doesn't work 

```

# $Header: /home/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo,v 1.3 2003/05/12 22:43:48 msterret Exp $

#

# Syslog-ng default configuration file for Gentoo Linux

# contributed by Michael Sterrett

options {

        long_hostnames(off);

        sync(0);

        # The default action of syslog-ng 1.6.0 is to log a STATS line

        # to the file every 10 minutes.  That's pretty ugly after a while.

        # Change it to every 12 hours so you get a nice daily update of

        # how many messages syslog-ng missed (0).

        stats(43200);

};

source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };

source kernsrc { file("/proc/kmsg"); };

#destination messages { file("/var/log/messages"); };

#define destinations

destination authlog { file("/var/log/auth.log"); };

destination syslog { file("/var/log/syslog"); };

destination cron { file("/var/log/cron.log"); };

destination daemon { file("/var/log/daemon.log"); };

destination kern { file("/var/log/kern.log"); };

destination lpr { file("/var/log/lpr.log"); };

destination user { file("/var/log/user.log"); };

destination mail { file("/var/log/mail.log"); };

destination mailinfo { file("/var/log/mail.info"); };

destination mailwarn { file("/var/log/mail.warn"); };

destination mailerr { file("/var/log/mail.err"); };

destination newscrit { file("/var/log/news/news.crit"); };

destination newserr { file("/var/log/news/news.err"); };

destination newsnotice { file("/var/log/news/news.notice"); };

destination debug { file("/var/log/debug"); };

destination messages { file("/var/log/messages"); };

destination console { usertty("root"); };

destination console_all { file("/dev/tty12"); };

destination xconsole { pipe("/dev/xconsole"); };

destination d_shorewall_warn { file("/var/log/shorewall/warn.log"); };

destination d_shorewall_info { file("/var/log/shorewall/info.log"); };

#create filters

filter f_auth { facility(auth); };

filter f_authpriv { facility(auth, authpriv); };

filter f_syslog { not facility(authpriv, mail); };

filter f_cron { facility(cron); };

filter f_daemon { facility(daemon); };

filter f_kern { facility(kern); };

filter f_lpr { facility(lpr); };

filter f_mail { facility(mail); };

filter f_user { facility(user); };

filter f_debug { not facility(auth, authpriv, news, mail); };

filter f_messages { level(info..warn)

        and not facility(auth, authpriv, mail, news); };

filter f_emergency { level(emerg); };

filter f_info { level(info); };

filter f_notice { level(notice); };

filter f_warn { level(warn); };

filter f_crit { level(crit); };

filter f_err { level(err); };

filter f_failed { match("failed"); };

filter f_denied { match("denied"); };

filter f_shorewall_warn { level(warn) and match ("Shorewall:"); };

filter f_shorewall_info { level(warn) and match("Shorewall:"); };

#connect filter and destination

log { source(src); filter(f_authpriv); destination(authlog); };

log { source(src); filter(f_syslog); destination(syslog); };

log { source(src); filter(f_cron); destination(cron); };

log { source(src); filter(f_daemon); destination(daemon); };

log { source(kernsrc); filter(f_kern); destination(kern); };

log { source(src); filter(f_lpr); destination(lpr); };

log { source(src); filter(f_mail); destination(mail); };

log { source(src); filter(f_user); destination(user); };

log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };

log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };

log { source(src); filter(f_debug); destination(debug); };

log { source(src); filter(f_messages); destination(messages); };

log { source(src); filter(f_emergency); destination(console); };

log { source(src); filter(f_shorewall_info); destination(d_shorewall_info);};

log { source(src); filter(f_shorewall_warn); destination(d_shorewall_warn);};

#default log

log { source(src); destination(console_all); };
```

 :Sad:   :Sad:   :Sad: 

----------

## Chris W

One of your two Shorewall filters is incorrect: 'warn' instead of 'info'.

The source for Shorewall output should be 'source{kernsrc}'.

----------

## Zorn1981

Thanks, but it doesn't work!   :Sad: 

Can I stop and restart syslog-ng without rebooting?

bye

Z81

----------

## asimon

With 

```
/etc/init.d/syslog-ng reload
```

 syslog-ng reloads it's config file , closes, and reopens it's file handles which essential is a 'restart'.

I use this to log my shorewall/ipfilter stuff:

```

filter f_iptables         { facility(kern) and match("IN=") and match("OUT="); };

destination iptables { file("/var/log/iptables.log"); };

log { source(src); filter(f_iptables); destination(iptables); };

```

Possibilities why your schema doesn't work:

* Is the ":" in match("Shorewall:") allowed there? It could be a character that has a speacial meaning in this regular expression. 

* Maybe you use wrong log levels, log levels can be configured in /etc/shorewall/shorewall.conf

* Is your shorewall.conf configured in such a way that it prefixes log messages with "Shorewall:"? Maybe it isnt.

* Some reason I don't see right now  :Wink: 

----------

## Zorn1981

I've tried your version (mr. Burn). It works!

Thanks

Marco

----------

## zeek

Unrelated to the original question, what about ULOGD?

I never quite understood its existance, or if it was any better at anything?

----------

## Zorn1981

Good question zeek!

Could someone drop a line to explain differences between ULOGD and syslog-ng and other log systems? Which is better? Why?

I use a (super)karamba app to view my log files at real time. I think there are better tools somewhere. Any advice?

bye

Z81

----------

## asimon

A quick look at the ulogd webpage (I haven't heart of ulogd before) shows that it's no replacement for systemn loggers like syslog-ng, sysklog, metalog, etc. ulogd is for iptables logging only and can not replace the other logging facilities. It looks like it's much more flexible than syslog-ng and friends, it supports more protocols and output formats. The iptables log messages are send to the ulogd daemon which for example can then write the iptables log messages into an SQL database. This is surly interesting for large sites which can then do sofisticated sql queries to analyze their firewall traffic.

----------

## Zorn1981

Thanks!

----------

## trumee

I am stuck with the same problem, even after using asimons script. There is no iptables.log file and still everything is being dumped on /var/log/messages. Here is my /etc/syslog-ng/syslog-ng.conf

```

 # $Header: /home/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo,v 1.3 2003/05/12 22:43:48 msterret Exp $

 #

 # Syslog-ng default configuration file for Gentoo Linux

 # contributed by Michael Sterrett

 options {

         long_hostnames(off);

         sync(0);

         # The default action of syslog-ng 1.6.0 is to log a STATS line

         # to the file every 10 minutes.  That's pretty ugly after a while.

         # Change it to every 12 hours so you get a nice daily update of

         # how many messages syslog-ng missed (0).

         stats(43200);

 };

 source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };

 source kernsrc { file("/proc/kmsg"); };

 #destination messages { file("/var/log/messages"); };

 #define destinations

 destination authlog { file("/var/log/auth.log"); };

 destination syslog { file("/var/log/syslog"); };

 destination cron { file("/var/log/cron.log"); };

 destination daemon { file("/var/log/daemon.log"); };

 destination kern { file("/var/log/kern.log"); };

 destination lpr { file("/var/log/lpr.log"); };

 destination user { file("/var/log/user.log"); };

 destination mail { file("/var/log/mail.log"); };

 destination mailinfo { file("/var/log/mail.info"); };

 destination mailwarn { file("/var/log/mail.warn"); };

 destination mailerr { file("/var/log/mail.err"); };

 destination newscrit { file("/var/log/news/news.crit"); };

 destination newserr { file("/var/log/news/news.err"); };

 destination newsnotice { file("/var/log/news/news.notice"); };

 destination debug { file("/var/log/debug"); };

 destination messages { file("/var/log/messages"); };

 destination console { usertty("root"); };

 destination console_all { file("/dev/tty12"); };

 destination xconsole { pipe("/dev/xconsole"); };

 destination d_shorewall_warn { file("/var/log/shorewall/warn.log"); };

 destination d_shorewall_info { file("/var/log/shorewall/info.log"); };

 #create filters

 filter f_auth { facility(auth); };

 filter f_authpriv { facility(auth, authpriv); };

 filter f_syslog { not facility(authpriv, mail); };

 filter f_cron { facility(cron); };

 filter f_daemon { facility(daemon); };

 filter f_kern { facility(kern); };

 filter f_lpr { facility(lpr); };

 filter f_mail { facility(mail); };

 filter f_user { facility(user); };

 filter f_debug { not facility(auth, authpriv, news, mail); };

 filter f_messages { level(info..warn)

         and not facility(auth, authpriv, mail, news); };

 filter f_emergency { level(emerg); };

 filter f_info { level(info); };

 filter f_notice { level(notice); };

 filter f_warn { level(warn); };

 filter f_crit { level(crit); };

 filter f_err { level(err); };

 filter f_failed { match("failed"); };

 filter f_denied { match("denied"); };

 #connect filter and destination

 log { source(src); filter(f_authpriv); destination(authlog); };

 log { source(src); filter(f_syslog); destination(syslog); };

 log { source(src); filter(f_cron); destination(cron); };

 log { source(src); filter(f_daemon); destination(daemon); };

 log { source(kernsrc); filter(f_kern); destination(kern); };

 log { source(src); filter(f_lpr); destination(lpr); };

 log { source(src); filter(f_mail); destination(mail); };

 log { source(src); filter(f_user); destination(user); };

 log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };

 log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };

 log { source(src); filter(f_debug); destination(debug); };

 log { source(src); filter(f_messages); destination(messages); };

 log { source(src); filter(f_emergency); destination(console); };

filter f_iptables   { facility(kern) and match("IN=") and match("OUT="); };

 destination iptables { file("/var/log/iptables.log"); };

 log { source(src); filter(f_iptables); destination(iptables); };

 #default log

 log { source(src); destination(console_all); };

```

What is going wrong?

Thanks

----------

## trumee

Got it working. Thanks

----------

## asimon

 *trumee wrote:*   

> 
> 
> What is going wrong?
> 
> 

 

The config looks good, I don't see anything wrong. Did you restart or reload syslog-ng after changing it's configuration, i.e. '/etc/init.d/syslog-ng reload'? Otherwise it will still use it's old configuration.

But even if it works, the iptables log messages will still go into messages. They are just filtered additionally into iptables.log. If you don't want them in messages things will get a little bit more complicated, you have to exclude them in the message filter. Something like

```

filter f_messages         { not facility(auth, authpriv, mail, news) and

                            not (facility(kern) and match("IN=") and match("OUT=")); };

```

----------

