Use logrotate to manage iptables logs

Source: Internet
Author: User
Reading Tips: The logs in the Linux firewall are very helpful for debugging rules. you can see where the packages are going, what rules are processed, what rules are processed, and what kind of packages are processed. The following describes how to use the Kernel Log tool to manage IPtables logs. This article is intended for users. Read the targe LOGtarget mentioned in the Iptables Manual. note: logs in the Linux firewall are very helpful for debugging rules. you can see where the package went and what rules have been processed, what kind of rules are used to process and what kind of packages. The following describes how to use the Kernel Log tool to manage IPtables logs. This article is intended for users. As mentioned in the Iptables manual, the LOGtarget is used to record packet-related information. This information may be invalid, so it can be used for debugging. LOG will return details about the package, such as most of the IP header and other interesting information. This function is completed through the Kernel Log tool, generally syslogd. The returned information can be read by dmesg, or the log file of syslogd can be viewed directly, or other programs. LOG is very helpful for debugging rules. you can see where the package went, what rules are processed, what rules are processed, and what packages are processed. The following describes how to use the Kernel Log tool to manage IPtables logs.
1. configure the syslogd configuration file/etc/syslog. conf
Syslogd outputs log information to the/var/log/messages file by default. This section describes how to create a new IPtables log file/var/log/ Iptables. Modify the configuration file/etc/syslog. conf of syslogd to tell syslogdIPtables which record level to use. For details about the record level, you can view the file syslog. conf generally has the following levels: debug, info, notice, warning, warn, err, error, crit, alert, emerg, panic. Here, error and err, warn, warning, panic, and emerg are synonyms, that is, they play the same role. Note that these three levels are not in favor of use (because the amount of information is too large ). The information level indicates the severity of the problem reflected by the recorded information.
All LOG information of IPtables can be recorded through the kernel function.
First, add the following content to the file syslog. conf:
# Iptables logging
Kern. debug/var/log/iptables
Then specify the level of debug for The iptables LOG rules (for example, iptables-I INPUT 1-j LOG -- log-prefix '[IPTABLES DROP LOGS]:' -- log-leveldebug ), you can store all the information in the file/var/log/iptables.
Restart the syslog service or restart the computer.
I use FC6 and use the service syslog restart command to conveniently start the syslog service.
II. use IPtables to scroll logs
All log files will increase rapidly over time and the number of visits. Therefore, you must regularly clean up log files to avoid unnecessary disk space waste. In FC6, there is a special log rolling processing program logrotate. logrotate can automatically compress, back up, and delete logs. by default, logrotate is added to the daily scheduled tasks of the system, in this way, the administrator needs to handle the problem by himself.
First, check and confirm the configuration file/etc/logrotate. conf of logrotate as follows:
# See "man logrotate" for details
# Rotate log files weekly
Weekly
# Keep 4 weeks worth of backlogs
Rotate 4
# Create new (empty) log files after rotating old ones
Create
# Uncomment this if you want your log files compressed
# Compress
# RPM packages drop log rotation information into thisdirectory
Include/etc/logrotate. d
# No packages own wtmp -- we'll rotate them here
/Var/log/wtmp {
Monthly
Create 0664 root utmp
Rotate 1
}
# System-specific logs may be also be configured here.
Then add the IPtables log file/var/log/iptables to The syslog rolling log configuration file/etc/logrotate. d/syslog. The details are as follows:
/Var/log/iptables/var/log/messages/var/log/secure/var/log/maillog/var/log/spooler/var/log/boot. log/var/log/cron {
Sharedscripts
Postrotate
/Bin/kill-HUP 'cat/var/run/syslogd. pid 2>/dev/Null' 2>/dev/null | true
Endscript
}
Finally, logrotate is scheduled to run once a day. make sure the file/etc/cron. daily/logrotate contains the following content:
#! /Bin/sh
/Usr/sbin/logrotate/etc/logrotate. conf
EXITVALUE = $?
If [$ EXITVALUE! = 0]; then
/Usr/bin/logger-t logrotate "ALERT exited abnormally with [$ EXITVALUE]"
Fi
Exit 0
Now we have created a separate rolling log for IPtables to better analyze network attack information.
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.