Question about messages logs

[biggsk]

Anyone out there know how to make these entires stop showing up in my /var/log/messages?


Feb 2 23:47:49 server kernel: Inbound IN=eth0 OUT= MAC=00:07:95:e6:c9:6e:00:13:72:e8:bf:f9:08:00 SRC=192.168.1.191 DST=192.168.1.192 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=58697 PROTO=UDP SPT=1746 DPT=53 LEN=40


Thanks

[Hlingler]

Hello:

IIRC, you would want to edit /etc/syslog.conf to specify a higher level at which to log info. Don't know what default is. Lowest level (log all activity whatsoever) is debug (?), next is info, then notice, then warn, error, critical, and none (=don't bother me). Sounds like you probably don't want to see anything below warn, so:

[...]
*.warn;mail.none;authpriv.none;cron.none /var/log/messages
[...]

Consult man syslog for clarification/verification of these levels, etc.

Regards,
V

[lmo]

I vaguely remember once having set up a system so that the network traffic was getting dumped into /var/log/messages.
I don't know how I got it set up that way, but I think I eventually got it to stop with help from man pages for
syslog
syslog.conf
klogd

It might also have something to do with iptables.
One thing to look at is the command:
iptables -L

I do not remember the specifics, but I think it is possible to put specific log traffic into a different file than messages.

As an example, I modified my /etc/syslog.conf so that gconfd "spam" goes to /var/log/user instead of /var/log/messages

Code:

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;user.none      /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

# gconfd ?
user.*                                                  /var/log/user

Maybe there is a way to redirect IP traffic logs too.
Or maybe there is a way to avoid logging it.
On my system which doesn't have any custom iptables, it doesn't log those kinds of messages.

[Evil_Bert]

The message refers to a firewall event (from the kernel netfilter) - blocked traffic is logged by default, and I assume that this is so in your setup - it looks like netfilter blocked a DNS lookup from 192.168.1.191 to 192.168.1.192. (Actually, the fields in the message don't look completely correct, but I don't know what your setup is).

As advised above, you can change both the level of logging and the file/destination to which logged data is written. If you generate a new log file, don't forget to add it to logrotate so that new log files are created and old ones archived: see "man logrotate" for more info.

But do you really need to change that setup (i.e. logging firewall messages)? There may be applications that expect to find certain data in certain logfiles, e.g. firestarter's status GUI expects to find firewall events in /var/log/messages, and it is not configurable in that respect.

It may be better to leave /var/log/messages alone and copy data of interest to other specific logs you create (duplicate logs via syslog.conf) - that way, you won't risk breaking any applications down the track.

To view system log files, if you're not already doing so, you can use gnome-system-log; it has a simple text filter to help isolate messages of interest (e.g. you could use "eth0" to isolate network-related data in /var/log/messages).

[biggsk]

Thanks all for your quick replies!