Ryfujk

Do I need to be arrogant to get ahead?

How to write cleanly even if my character uses expletive language?

What did Alexander Pope mean by "Expletives their feeble Aid do join"?

Instead of Universal Basic Income, why not Universal Basic NEEDS?

Gravity magic - How does it work?

Why doesn't the EU now just force the UK to choose between referendum and no-deal?

Time travel from stationary position?

How to read the value of this capacitor?

Why doesn't using two cd commands in bash script execute the second command?

how to write formula in word in latex

Is it possible to upcast ritual spells?

What is the significance behind "40 days" that often appears in the Bible?

How big is a MODIS 250m pixel in reality?

How to simplify this time periods definition interface?

Have researchers managed to "reverse time"? If so, what does that mean for physics?

Can I use USB data pins as power source

Why do Australian milk farmers need to protest supermarkets' milk price?

Who is flying the vertibirds?

PTIJ: Who should I vote for? (21st Knesset Edition)

What options are left, if Britain cannot decide?

How do I hide Chekhov's Gun?

How to use deus ex machina safely?

How do anti-virus programs start at Windows boot?

Is it normal that my co-workers at a fitness company criticize my food choices?

options to log Netfilter/iptables - anything better than ulogd?

iptables logging not working?iptables - netfilter bugThe security policy of netfilter on IP Optionsiptables doesn't log anythingWhy is our firewall (Ubuntu 8.04) rejecting the final packet (FIN, ACK, PSH) with a RSTBlock countries using iptables /netfilterTesting the limits of UFW with thousands of deny blocksIPTables isn't forwarding anythingiptables/netfilter rules for samba/netbios accessiptables SNAT rule works for ICMP and TCP, but not for UDP

0

My requirements are to do extensive logging of various iptables rules that must be logged into a file other than Syslog or the Journal.

For some time have been using ulogd that enables setting up custom log files. However ulogd isn't supported in systemd on Fedora, that seems to indicate it is no longer a preferred option, and may be going the way of the dodo bird.

Wondering if there is a newer preferred option? (conntrack doesn't seem to provide full logging to a file.)

EDIT:
Ok - some more details. Am using ipset that blocks and or logs traffic from particular countries. So for example, if there is outgoing traffic to particular countries, we need to know about it and investigate further. Having a large volume of logging information from iptables rules going into Syslog (and the new Journal used in Fedora) means that normal Syslog messages are swamped and important messages are being missed due to the volume of iptables logs. Hence we need to separate the normal Syslog messages from the high volume iptables logs

iptables

share|improve this question

edited Nov 12 '13 at 22:58

fukawi2

4,38731745

asked Nov 11 '13 at 23:49

Eureka IkaraEureka Ikara

129210

bumped to the homepage by Community♦ 5 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  My requirements are to do extensive logging of various iptables rules You need to explain that better to give us a better understanding so we can give more accurate answers. At the moment, this is an XY Problem: meta.stackexchange.com/a/66378/205010
  
  – fukawi2
  Nov 12 '13 at 2:56
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Ok - some more details. Am using ipset that blocks and or logs traffic from particular countries. So for example, if there is outgoing traffic to particular countries, we need to know about it and investigate further. Having a large volume of logging information from iptables rules going into Syslog (and the new Journal used in Fedora) means that normal Syslog messages are swamped and important messages are being missed due to the volume of iptables logs. Hence we need to separate the normal Syslog messages from the high volume iptables logs.
  
  – Eureka Ikara
  Nov 12 '13 at 5:39
  

  
  
  
  

add a comment | 

0

My requirements are to do extensive logging of various iptables rules that must be logged into a file other than Syslog or the Journal.

For some time have been using ulogd that enables setting up custom log files. However ulogd isn't supported in systemd on Fedora, that seems to indicate it is no longer a preferred option, and may be going the way of the dodo bird.

Wondering if there is a newer preferred option? (conntrack doesn't seem to provide full logging to a file.)

EDIT:
Ok - some more details. Am using ipset that blocks and or logs traffic from particular countries. So for example, if there is outgoing traffic to particular countries, we need to know about it and investigate further. Having a large volume of logging information from iptables rules going into Syslog (and the new Journal used in Fedora) means that normal Syslog messages are swamped and important messages are being missed due to the volume of iptables logs. Hence we need to separate the normal Syslog messages from the high volume iptables logs

iptables

share|improve this question

edited Nov 12 '13 at 22:58

fukawi2

4,38731745

asked Nov 11 '13 at 23:49

Eureka IkaraEureka Ikara

129210

bumped to the homepage by Community♦ 5 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  My requirements are to do extensive logging of various iptables rules You need to explain that better to give us a better understanding so we can give more accurate answers. At the moment, this is an XY Problem: meta.stackexchange.com/a/66378/205010
  
  – fukawi2
  Nov 12 '13 at 2:56
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Ok - some more details. Am using ipset that blocks and or logs traffic from particular countries. So for example, if there is outgoing traffic to particular countries, we need to know about it and investigate further. Having a large volume of logging information from iptables rules going into Syslog (and the new Journal used in Fedora) means that normal Syslog messages are swamped and important messages are being missed due to the volume of iptables logs. Hence we need to separate the normal Syslog messages from the high volume iptables logs.
  
  – Eureka Ikara
  Nov 12 '13 at 5:39
  

  
  
  
  

add a comment | 

My requirements are to do extensive logging of various iptables rules that must be logged into a file other than Syslog or the Journal.

For some time have been using ulogd that enables setting up custom log files. However ulogd isn't supported in systemd on Fedora, that seems to indicate it is no longer a preferred option, and may be going the way of the dodo bird.

Wondering if there is a newer preferred option? (conntrack doesn't seem to provide full logging to a file.)

EDIT:
Ok - some more details. Am using ipset that blocks and or logs traffic from particular countries. So for example, if there is outgoing traffic to particular countries, we need to know about it and investigate further. Having a large volume of logging information from iptables rules going into Syslog (and the new Journal used in Fedora) means that normal Syslog messages are swamped and important messages are being missed due to the volume of iptables logs. Hence we need to separate the normal Syslog messages from the high volume iptables logs

iptables

share|improve this question

edited Nov 12 '13 at 22:58

fukawi2

4,38731745

asked Nov 11 '13 at 23:49

Eureka IkaraEureka Ikara

129210

share|improve this question

edited Nov 12 '13 at 22:58

fukawi2

4,38731745

asked Nov 11 '13 at 23:49

Eureka IkaraEureka Ikara

129210

share|improve this question

edited Nov 12 '13 at 22:58

fukawi2

4,38731745

asked Nov 11 '13 at 23:49

Eureka IkaraEureka Ikara

129210

edited Nov 12 '13 at 22:58

fukawi2

4,38731745

edited Nov 12 '13 at 22:58

fukawi2

4,38731745

asked Nov 11 '13 at 23:49

Eureka IkaraEureka Ikara

129210

asked Nov 11 '13 at 23:49

Eureka IkaraEureka Ikara

129210

2 Answers
2

active

oldest

votes

0

use the following iptables directive after you run "man iptables"

-j LOG

share|improve this answer

answered Nov 12 '13 at 1:46

nandoPnandoP

1,854614

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  But the problem is that I have not been able to come up with a solution that doesn't log these messages to Syslog. I have been able to come up a solution that logs them to another file, but they also get logged to Syslog, which is what I need to avoid.
  
  – Eureka Ikara
  Nov 12 '13 at 5:31
  
  
  

  
  
  
  

add a comment | 

0

Perhaps the NFLOG target could be useful to you? I've never used it, but it sounds like it's what you're after?

This target provides logging of matching packets. When this target
is set for a rule, the Linux kernel will pass the
packet to the loaded logging backend to log the packet. This is usually used in combination with nfnetlink_log as log‐
ging backend, which will multicast the packet through a netlink socket to the specified multicast group. One or more
userspace processes may subscribe to the group to receive the packets. Like LOG, this is a non-terminating target, i.e.
rule traversal continues at the next rule.

(Emphasis added)

share|improve this answer

answered Nov 12 '13 at 23:01

fukawi2fukawi2

4,38731745

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks for the suggestion. Actually in Fedora 19 ulogd now uses the NFLOG target as the ULOG target is deprecated. However, to add to my concerns about ulogd is that it causes lots of SELinux permission problems as there does not seem to be any up-to-date SELinux policy for it. Hence my thinking that maybe there is another solution I have not been able to find.
  
  – Eureka Ikara
  Nov 13 '13 at 22:13
  
  
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f554288%2foptions-to-log-netfilter-iptables-anything-better-than-ulogd%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

use the following iptables directive after you run "man iptables"

-j LOG

share|improve this answer

answered Nov 12 '13 at 1:46

nandoPnandoP

1,854614

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  But the problem is that I have not been able to come up with a solution that doesn't log these messages to Syslog. I have been able to come up a solution that logs them to another file, but they also get logged to Syslog, which is what I need to avoid.
  
  – Eureka Ikara
  Nov 12 '13 at 5:31
  
  
  

  
  
  
  

add a comment | 

0

use the following iptables directive after you run "man iptables"

-j LOG

share|improve this answer

answered Nov 12 '13 at 1:46

nandoPnandoP

1,854614

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  But the problem is that I have not been able to come up with a solution that doesn't log these messages to Syslog. I have been able to come up a solution that logs them to another file, but they also get logged to Syslog, which is what I need to avoid.
  
  – Eureka Ikara
  Nov 12 '13 at 5:31
  
  
  

  
  
  
  

add a comment | 

use the following iptables directive after you run "man iptables"

-j LOG

share|improve this answer

answered Nov 12 '13 at 1:46

nandoPnandoP

1,854614

share|improve this answer

answered Nov 12 '13 at 1:46

nandoPnandoP

1,854614

answered Nov 12 '13 at 1:46

nandoPnandoP

1,854614

answered Nov 12 '13 at 1:46

nandoPnandoP

1,854614

0

Perhaps the NFLOG target could be useful to you? I've never used it, but it sounds like it's what you're after?

This target provides logging of matching packets. When this target
is set for a rule, the Linux kernel will pass the
packet to the loaded logging backend to log the packet. This is usually used in combination with nfnetlink_log as log‐
ging backend, which will multicast the packet through a netlink socket to the specified multicast group. One or more
userspace processes may subscribe to the group to receive the packets. Like LOG, this is a non-terminating target, i.e.
rule traversal continues at the next rule.

(Emphasis added)

share|improve this answer

answered Nov 12 '13 at 23:01

fukawi2fukawi2

4,38731745

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks for the suggestion. Actually in Fedora 19 ulogd now uses the NFLOG target as the ULOG target is deprecated. However, to add to my concerns about ulogd is that it causes lots of SELinux permission problems as there does not seem to be any up-to-date SELinux policy for it. Hence my thinking that maybe there is another solution I have not been able to find.
  
  – Eureka Ikara
  Nov 13 '13 at 22:13
  
  
  

  
  
  
  

add a comment | 

0

Perhaps the NFLOG target could be useful to you? I've never used it, but it sounds like it's what you're after?

This target provides logging of matching packets. When this target
is set for a rule, the Linux kernel will pass the
packet to the loaded logging backend to log the packet. This is usually used in combination with nfnetlink_log as log‐
ging backend, which will multicast the packet through a netlink socket to the specified multicast group. One or more
userspace processes may subscribe to the group to receive the packets. Like LOG, this is a non-terminating target, i.e.
rule traversal continues at the next rule.

(Emphasis added)

share|improve this answer

answered Nov 12 '13 at 23:01

fukawi2fukawi2

4,38731745

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks for the suggestion. Actually in Fedora 19 ulogd now uses the NFLOG target as the ULOG target is deprecated. However, to add to my concerns about ulogd is that it causes lots of SELinux permission problems as there does not seem to be any up-to-date SELinux policy for it. Hence my thinking that maybe there is another solution I have not been able to find.
  
  – Eureka Ikara
  Nov 13 '13 at 22:13
  
  
  

  
  
  
  

add a comment | 

Perhaps the NFLOG target could be useful to you? I've never used it, but it sounds like it's what you're after?

This target provides logging of matching packets. When this target
is set for a rule, the Linux kernel will pass the
packet to the loaded logging backend to log the packet. This is usually used in combination with nfnetlink_log as log‐
ging backend, which will multicast the packet through a netlink socket to the specified multicast group. One or more
userspace processes may subscribe to the group to receive the packets. Like LOG, this is a non-terminating target, i.e.
rule traversal continues at the next rule.

(Emphasis added)

share|improve this answer

answered Nov 12 '13 at 23:01

fukawi2fukawi2

4,38731745

share|improve this answer

answered Nov 12 '13 at 23:01

fukawi2fukawi2

4,38731745

answered Nov 12 '13 at 23:01

fukawi2fukawi2

4,38731745

answered Nov 12 '13 at 23:01

fukawi2fukawi2

4,38731745