forked from mrash/psad
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME.SYSLOG
65 lines (46 loc) · 2.61 KB
/
README.SYSLOG
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
This information is documented in the psad.conf file as well:
By default, psad acquires iptables log data from the /var/log/messages
file which the local syslog daemon (usually) writes iptables log messages
to. If the ENABLE_SYSLOG_FILE variable is set to "N", then psad
reconfigures syslog to write iptables log data to the
/var/lib/psad/psadfifo fifo file where the messages are picked up by kmsgsd
written to the file /var/log/psad/fwdata for analysis by psad. On some
systems, having syslog communicate log data to kmsgsd can be problematic
(syslog configs and external factors such as Apparmor and SELinux can play
a role here), so leaving the ENABLE_SYSLOG_FILE variable set to "Y" is
usually recommended.
*** Pre psad-2.1.3 information below ***
TESTING YOUR INSTALLATION:
The psad installer does its best to reconfigure your syslog daemon to write
all kern.info messages (or higher) to the /var/lib/psad/psadfifo named pipe
for analysis. However, in order to test whether your installation is working
or not, you can do the following as root:
$ iptables -I INPUT -i lo -p tcp --dport 3003 -j LOG --log-prefix "Inbound "
$ telnet localhost 3003
Assuming that psad is running, this should generate in /var/log/psad/fwdata
something similar to:
Jun 15 23:37:33 <your_hostname> kernel: Inbound IN=lo OUT=
MAC=<mac_addresses> SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x10 PREC=0x00
TTL=64 ID=47312 DF PROTO=TCP SPT=40945 DPT=3003 WINDOW=32767 RES=0x00 SYN
URGP=0
Also, executing "psad --Status" should display (among other things) something
like:
Iptables prefix counters:
"Inbound": 1
If the /var/log/psad/fwdata file is empty but you are getting messages in the
system log (for example when you type "dmesg" or in /var/log/messages), then
you should make sure that psad has the fifo open:
$ lsof | grep psadfifo
You should get something along the lines of:
syslogd 942 root 20u FIFO 3,5 544097 /var/lib/psad/psadfifo
kmsgsd 25457 root 0u FIFO 3,5 544097 /var/lib/psad/psadfifo
The main requirement is that iptables logs are getting logged via kern.info
(or at a higher priority such as "warn") by syslog. The default for the
iptables LOG target is log iptables messages at the "warn" priority, but
this can be changed with the --log-level option. For example, to have
iptables generate logs at the "info" priority in the INPUT chain, the
following command could be used:
# iptables -A INPUT -j LOG --log-level info
This may help cut down on iptables logs being sent to the console if your
syslog.conf instructs syslog to log kernel messages at a "warn" level or
higher to the console device.