Firehol logging into custom log file instead of /var/log/messages
From Andreida
In /etc/firehol/firehol.conf add
FIREHOL_LOG_PREFIX="firehol: "
Now all messages get this prefix and can get recognized.
Now tell rsyslog to log all messages from firehol to a custom file and then do nothing else with these messages in /etc/rsyslog.d/firehol.conf
:msg, contains, "firehol: " -/var/log/firehol.log & ~
Logfile rotation in /etc/logrotate.d/firehol
/var/log/firehol.log { rotate 7 daily missingok notifempty delaycompress compress }
(from Quelle)
/etc/init.d/rsyslog restart
Search the firehol.log
Search for potential attacker ips:
grep -o 'SRC=[[:digit:]]\{1,3\}.[[:digit:]]\{1,3\}.[[:digit:]]\{1,3\}.[[:digit:]]\{1,3\}' /var/log/firehol.log | sed 's/SRC=//' | sort -u
Check for destinations ports:
grep -o 'DPT=[[:digit:]]\+' /var/log/firehol.log | sed 's/DPT=//' | sort -un