# /var/log/messages flooded with kernel messages [~solved]

## lethu

Hya, my /var/log/* files are getting flooded with the above messages, I noticed that that started after enabling some kernel modules for iptables to work.

Content of "/var/log/everything/current" :

```
Apr 22 00:04:08 [kernel] Inbound IN=ppp0 OUT= MAC= SRC= DST= LEN=112 TOS=0x00 PREC=0x00 TTL=114 ID$

Apr 22 00:04:12 [kernel] Inbound IN=ppp0 OUT= MAC= SRC= DST= LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID$

Apr 22 00:04:45 [kernel] Inbound IN=ppp0 OUT= MAC= SRC= DST= LEN=527 TOS=0x00 PREC=0x00 TTL=49 ID$

Apr 22 00:04:45 [kernel] Inbound IN=ppp0 OUT= MAC= SRC= DST= LEN=527 TOS=0x00 PREC=0x00 TTL=49 ID$

Apr 22 00:05:04 [kernel] Inbound IN=ppp0 OUT= MAC= SRC= DST= LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID$

Apr 22 00:05:07 [kernel] Inbound IN=ppp0 OUT= MAC= SRC= DST= LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID$

Apr 22 00:05:13 [kernel] Inbound IN=ppp0 OUT= MAC= SRC= DST= LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID$

Apr 22 00:05:23 [kernel] Inbound IN=ppp0 OUT= MAC= SRC= DST= LEN=48 TOS=0x00 PREC=0x00 TTL=120 I$

...

```

Could someone please help me with this problem?

Thanks.Last edited by lethu on Mon Apr 23, 2007 6:20 am; edited 2 times in total

----------

## bunder

looks like iptables doing its work blocking traffic... doesn't say anything about source/destination port though (did it get chopped off?  i see a bunch of $'s in the quote).

cheers

----------

## lethu

Thank you for taking interest in my problem, you were right the log info got chopped off cause I didn't pay attention to it while copying, I guess I was too tired after trying to enable/disable many many modules in the kernel and recompiling it to see the result.

In fact I also omitted to copy past what I think may be an important information which comes before the traffic information lines :

```
[b]Apr 22 21:37:32 [kernel] ip_conntrack version 2.4 (8191 buckets, 65528 max) - 228 bytes per conntrack[/b]

Apr 22 21:39:08 [kernel] Inbound IN=ppp0 OUT= MAC= SRC= DST= LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=19977 DF PROTO=TCP SPT=4522 DPT=5110 WINDOW=65535 RES=0x00 SYN URGP=0

Apr 22 21:39:26 [gconfd (root-5797)] GConf server is not in use, shutting down.

Apr 22 21:39:26 [gconfd (root-5797)] Exiting

Apr 22 21:40:01 [cron] (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

Apr 22 21:41:00 [kernel] Inbound IN=eth0 OUT= MAC= SRC= DST= LEN=239 TOS=0x00 PREC=0x00 TTL=64 ID=214 PROTO=UDP SPT=138 DPT=138 LEN=219

Apr 22 21:43:11 [kernel] Inbound IN=eth0 OUT= MAC= SRC= DST= LEN=234 TOS=0x00 PREC=0x00 TTL=64 ID=215 PROTO=UDP SPT=138 DPT=138 LEN=214

Apr 22 21:44:42 [kernel] Inbound IN=ppp0 OUT= MAC= SRC= DST= LEN=505 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=38970 DPT=1026 LEN=485

Apr 22 21:44:42 [kernel] Inbound IN=ppp0 OUT= MAC= SRC= DST= LEN=505 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=38970 DPT=1027 LEN=485

Apr 22 21:45:15 [kernel] Inbound IN=ppp0 OUT= MAC= SRC= DST= LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=49479 DF PROTO=TCP SPT=2117 DPT=2968 WINDOW=16384 RES=0x00 SYN URGP=0

Apr 22 21:45:17 [kernel] Inbound IN=ppp0 OUT= MAC= SRC= DST= LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=49695 DF PROTO=TCP SPT=2117 DPT=2968 WINDOW=16384 RES=0x00 SYN URGP=0

Apr 22 21:50:01 [cron] (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

Apr 22 21:51:17 [kernel] Inbound IN=ppp0 OUT= MAC= SRC= DST= LEN=488 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=59800 DPT=1027 LEN=468

Apr 22 21:54:15 [kernel] Inbound IN=ppp0 OUT= MAC= SRC= DST= LEN=488 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=36454 DPT=1027 LEN=468
```

Hope this helps clarifying my case, am going to try disabling other modules in the kernel, maybe some "conntrack" related ones.

Thank you again.Last edited by lethu on Mon Apr 23, 2007 6:17 am; edited 1 time in total

----------

## tcunha

If you want to log iptables information to other file give app-admin/ulogd a shot.

Don't forget to compile the ULOG target.

----------

## lethu

Hi, thank you for replying, I emerged ulogd and enabled the ULOG target in the kernel (it was already enabled)

but I still get this : 

```
ip_conntrack version 2.4 (8191 buckets, 65528 max) - 208 bytes per conntrack

ipt_LOG: not logging via system console since somebody else already registered for PF_INET

Inbound IN=ppp0 OUT= MAC= SRC= DST= LEN=394 TOS=0x00 PREC=0x00 TTL=58 ID=19396 PROTO=UDP SPT=30636 DPT=1026 LEN=374 

Inbound IN=ppp0 OUT= MAC= SRC= DST= LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=22739 DF PROTO=TCP SPT=2162 DPT=6346 WINDOW=65535 RES=0x00 SYN URGP=0 

Inbound IN=ppp0 OUT= MAC= SRC= DST= LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=22779 DF PROTO=TCP SPT=2162 DPT=6346 WINDOW=65535 RES=0x00 SYN URGP=0 

Inbound IN=ppp0 OUT= MAC= SRC= DST= LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=22859 DF PROTO=TCP SPT=2162 DPT=6346 WINDOW=65535 RES=0x00 SYN URGP=0 
```

both in my dmesg output and /var/log/messages.

Am really desparate I tried everything I could thing of : '(.Last edited by lethu on Mon Apr 23, 2007 6:19 am; edited 1 time in total

----------

## tcunha

What're the contents of /etc/ulogd.conf?

Here's mine:

```

[global]

nlgroup=1

logfile="/var/log/ulogd.log"

loglevel=5

rmem=131071

bufsize=150000

plugin="/usr/lib/ulogd/ulogd_BASE.so"

plugin="/usr/lib/ulogd/ulogd_LOGEMU.so"

[LOGEMU]

file="/var/log/ulogd.syslogemu"

sync=1

[OPRINT]

file="/var/log/ulogd.pktlog"

[MYSQL]

table="ulog"

pass="changeme"

user="laforge"

db="ulogd"

host="localhost"

[PGSQL]

table="ulog"

schema="public"

pass="changeme"

user="postgres"

db="ulogd"

host="localhost"

[SQLITE3]

table="ulog"

db="/path/to/sqlite/db"

buffer=200

[PCAP]

file="/var/log/ulogd.pcap"

sync=1

```

Don't forget to replace -j LOG with -j ULOG and start the ulog daemon.

Also, you might want to use the limit match with LOG/ULOG target, e.g.:

```
/sbin/iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j ULOG --ulog-prefix "INPUT packet died"
```

----------

## lethu

My /etc/ulogd.conf looks like yours, however I think the problem is coming from the -j ULOG argument, which I didn't use since am using firestarter to configure and launch iptable for me as I have almost no iptable knowledge and don't know where to put the -j ULOG argument when using firestarter. I searched the forum for instructions on what to do to set ULOG as the logger in firestarter but only found the shorewall equivalent instructions here : https://forums.gentoo.org/viewtopic-t-363865-start-0-postdays-0-postorder-asc-highlight-var+flooded.html

----------

## lethu

I finally fixed it by disabling some modules in the kernel, it's an ugly fix but it's better than nothing especially after four days of fighting similar problems, so am really fed up and there are plenty other things waiting to get fixed too in my lovely gentoo box, thank god am a little bit patient otherwise I would have switched to the dark side a long time ago, I love gentoo even if it's so stressing and hard to keep un and running at times, so I won't give up   :Very Happy: .

Well, iptables gives me an error :

```
iptables: No chain/target/match by that name
```

that's cause of the modules that I disabled in the kernel, but everything seems to work well including NAT/masquerading, here are the kernel settings I manipulated in order to fix my problem in case there is somebody else with the same issue (am not sure if this is really what fixed my problem though) :

```
Networking  --->

      Networking options  --->

           [*] Network packet filtering (replaces ipchains)  --->

                 Core Netfilter Configuration  --->

                  <M> Netfilter netlink interface

                  <M>   Netfilter NFQUEUE over NFNETLINK interface

                  <M>   Netfilter LOG over NFNETLINK interface

                  <M> Netfilter Xtables support (required for ip_tables)

                < >   "CLASSIFY" target support

                  < >   "CONNMARK" target support

                  < >   "DSCP" target support

                 < >   "MARK" target support

                 < >   "NFQUEUE" target Support

                 < >   "comment" match support

                 <M>   "connbytes" per-connection counter match support

                 <M>   "connmark" connection mark match support

                 <M>   "conntrack" connection tracking match support

                 < >   "DCCP" protocol match support

                 < >   "DSCP" match support

                < >   "ESP" match support

                  <M>   "helper" match support

                  < >   "length" match support

                  < >   "limit" match support

                 <M>   "mac" address match support

                  < >   "mark" match support

                  < >   IPsec "policy" match support

                  < >   Multiple port match support

                  < >   "pkttype" packet type match support

                  < >   "quota" match support

                  < >   "realm" match support

                  < >   "sctp" protocol match support (EXPERIMENTAL)

                 <M>   "state" match support

                 < >   "statistic" match support

                 < >   "string" match support

                  < >   "tcpmss" match support
```

Go here : http://www.fs-security.com/docs/kernel.php in case you want to see how it should look normally.

Thank you tiago and bunder for taking time to help a poor "revenant", cya all.

ps : ah and sorry for my awful english   :Razz: 

----------

## wynn

When you get around to looking at it again you can also change your syslog-ng.conf file to put these messages in another file.

There's a very good post by BoneKracker in syslog-ng config query (n00b) and two complete syslog-ng.conf's to work from. The critical thing in this post is the flags(final) which stops entries propagating further.

----------

## lethu

Yay this looks pretty much better than my nasty fix, I will definitely give it a go, thank you : ).

----------

