# How do network logs work?! Guru asked.

## barlad

Hey there,

in order to solve my problem with firestarter I started looking into syslog and metalog documentation and I must admit I am totally lost so maybe one of you network guru can help me out.

My question is... how the hell do the network logs work?

I mean, what part of the system logs all the packets sent or received by my PC on its interfaces? For example, what logs all the packets sent/received by the ppp0 interface? (my internet connection).

Is it the kernel? In that case, to what level/facility does it correspond?

Basically, I would like to log, through metalog, all those packets and write them in a file: /var/log/messages (which corresponds to the default syslog file, I think) so that firestarter can listen to it. That's why I need to figure out how it works: what facility, what level, what daemon/program (if any) are concerned.

I am lost.  :Smile: 

----------

## ctford0

My advise would be to switch to syslog-ng.  If you emerge it then use this as your syslog config everything should work fine.  The latest stable version of syslog-ng does not come with a sample config file to write anything but the messages log.

```

#

# Syslog-ng example configuration for for Debian GNU/Linux

#

# Copyright (c) 1999 anonymous

# Copyright (c) 1999 Balazs Scheidler

# $Header: /home/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.sample,v 1.4 2002/10/12 07:26:42 blocke Exp $

#

# Syslog-ng configuration file, compatible with default Debian syslogd

# installation.

#

options { long_hostnames(off); sync(0); };

source src { unix-stream("/dev/log"); internal(); };

source kernsrc { pipe("/proc/kmsg"); };

#source net { udp(); };

destination authlog { file("/var/log/auth.log"); };

destination syslog { file("/var/log/syslog"); };

destination cron { file("/var/log/cron.log"); };

destination daemon { file("/var/log/daemon.log"); };

destination kern { file("/var/log/kern.log"); };

destination lpr { file("/var/log/lpr.log"); };

destination user { file("/var/log/user.log"); };

destination uucp { file("/var/log/uucp.log"); };

#destination ppp { file("/var/log/ppp.log"); };

destination mail { file("/var/log/mail.log"); };

destination mailinfo { file("/var/log/mail.info"); };

destination mailwarn { file("/var/log/mail.warn"); };

destination mailerr { file("/var/log/mail.err"); };

destination newscrit { file("/var/log/news/news.crit"); };

destination newserr { file("/var/log/news/news.err"); };

destination newsnotice { file("/var/log/news/news.notice"); };

destination debug { file("/var/log/debug"); };

destination messages { file("/var/log/messages"); };

destination console { usertty("root"); };

destination console_all { file("/dev/tty12"); };

#destination loghost { udp("loghost" port(999)); };

destination xconsole { pipe("/dev/xconsole"); };

filter f_auth { facility(auth); };

filter f_authpriv { facility(auth, authpriv); };

filter f_syslog { not facility(authpriv, mail); };

filter f_cron { facility(cron); };

filter f_daemon { facility(daemon); };

filter f_kern { facility(kern); };

filter f_lpr { facility(lpr); };

filter f_mail { facility(mail); };

filter f_user { facility(user); };

filter f_uucp { facility(cron); };

#filter f_ppp { facility(ppp); };

filter f_news { facility(news); };

filter f_debug { not facility(auth, authpriv, news, mail); };

filter f_messages { level(info..warn)

        and not facility(auth, authpriv, mail, news); };

filter f_emergency { level(emerg); };

filter f_info { level(info); };

filter f_notice { level(notice); };

filter f_warn { level(warn); };

filter f_crit { level(crit); };

filter f_err { level(err); };

log { source(src); filter(f_authpriv); destination(authlog); };

log { source(src); filter(f_syslog); destination(syslog); };

log { source(src); filter(f_cron); destination(cron); };

log { source(src); filter(f_daemon); destination(daemon); };

log { source(kernsrc); filter(f_kern); destination(kern); };

log { source(src); filter(f_lpr); destination(lpr); };

log { source(src); filter(f_mail); destination(mail); };

log { source(src); filter(f_user); destination(user); };

log { source(src); filter(f_uucp); destination(uucp); };

log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };

log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };

log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };

log { source(src); filter(f_news); filter(f_crit); destination(newscrit); };

log { source(src); filter(f_news); filter(f_err); destination(newserr); };

log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); };

log { source(src); filter(f_debug); destination(debug); };

log { source(src); filter(f_messages); destination(messages); };

log { source(src); filter(f_emergency); destination(console); };

#log { source(src); filter(f_ppp); destination(ppp); };

log { source(src); destination(console_all); };

```

You may need to uncomment the ppp references....

not really sure

Hope this helps.....

Chris

----------

## fatcat.00

Which file stuff gets logged to depends on two things:

1) The syslog "facility" used by the application

2) Where the syslog config file sends events for that facility.

For example, lets say BIND is configured to send events to syslog using the "daemon" facility.  If syslog is configured so that "daemon" facility messages (use ctford0's config file for reference) write to "/var/log/daemon.log", then that is where they will go.

I agree with ctford0 that syslog-ng seems to be very simple to setup and understand.  Playing around with it will produce full understanding in an hour or less.

Give it a try and post again if you need more help.

----------

## barlad

Thanks for all the information. I think I start to understand how all of that works. 

That said, my question was more to know what part of the kernel or system reports the connections to syslog, but I think you answered the question by quoting BIND. 

I will look into the manual of BIND or do a search on google to make sure I got it. 

I am about to solve my problem with firestarter but I still wanted to know how it works. I am too curious  :Wink: .

----------

## fatcat.00

Hmm I think I misunderstood your initial question.  Different things log in different ways.  kernel messages are logged via syslog, but anything can log to a file of its own making.  Syslog is provided as a service that *anything* can use *if* the programmer wants to make use of it.  Syslog provides a protocol that can be used either locally or remotely, meaning remote devices can log via syslog on a different machine, over the network.

Now if you are particularly interested in statistics on your PPP interface, I am not sure what part of the OS keeps track of that.  I am guessing that it is a simple counter, and nothing more.  If you want more sophisticated statistics, try "iptraf".

iptables logs via syslog, and it is user definable as to which syslog facility it uses, so therefore it is user definable as to which file the log info goes to.

I have a feeling this answer isn't quite what you wanted either.  Oh well, keep asking maybe someone will strike on it.

----------

