[News]

News:

[unkowen]

unkowen

unkowen

• Guest

I need to now if there is any way to have kernal.warn messages from iptables sent to a different log then my kernal.warn messages from other system dameons/services.

[Anonymous]

Anonymous

Anonymous

• Guest

I don't think so.  You may be able to use something like metalog (http://metalog.sourceforce.net), but if iptables uses kernel.warn to classify its messages, I don't think it'll work.

[mutex]

mutex

mutex

Show mutex's last posts.

Show general stats for mutex.

• 
• Administrator
• Newbie
• Posts: 782

I believe if you convert to syslog-ng, you would be able to use a filter to recognize that the logs came from iptables.  I'm not 100% sure, though.

[gundalba]

gundalba

gundalba

Show gundalba's last posts.

Show general stats for gundalba.

• 
• Newbie
• Posts: 6

Just a theory yet but am thinking about piping the log into a small parsing script to generate seperate files...

[mutex]

mutex

mutex

Show mutex's last posts.

Show general stats for mutex.

• 
• Administrator
• Newbie
• Posts: 782

You can certainly do that, in fact the user "Jeff" posted a perl script that does just that, if you search for it here.  But, the reality is that it's a bit of a hack to do it that way.  The support that syslog-ng has to split messages into different files is very clean and easy to maintain.  Just my opinion, though.

[mutex]

mutex

mutex

Show mutex's last posts.

Show general stats for mutex.

• 
• Administrator
• Newbie
• Posts: 782

If you're able to identify and separate them with a script, then you would be able to do it with syslog-ng as well.

[rgerhards]

rgerhards

rgerhards

Visit rgerhards's website.

Show rgerhards's last posts.

Show general stats for rgerhards.

• 
• Newbie
• Posts: 176

Another follow-up after coming back to the forum.

With rsyslog, you can easily do this. The primary trick is that you include a text with each of the iptables log entries. Then, you can use so-called "contains" searches, which check for the text in question inside the log entries. This can be done as part of regular rule processing.

Note that rsyslog is the standard syslogd on Fedora 8+ and will be the standard on the next release of Debian. So you may already using it and just need to deploy the necessary rules. As this topic seems to be of interest to many people (judging from the access count), I'll probably write a HOWTO. If so, I'll post the link here (so it probably is a good idea to subscribe to the thread if you are intersted in the HOWTO ).