Firehol logging into custom log file instead of /var/log/messages

From Andreida

In /etc/firehol/firehol.conf add

 FIREHOL_LOG_PREFIX="firehol: "

Now all messages get this prefix and can get recognized.


Now tell rsyslog to log all messages from firehol to a custom file and then do nothing else with these messages in /etc/rsyslog.d/firehol.conf

 :msg, contains, "firehol: " -/var/log/firehol.log
 & ~

Logfile rotation in /etc/logrotate.d/firehol

/var/log/firehol.log
{
   rotate 7
   daily
   missingok
   notifempty
   delaycompress
   compress
}

(from Quelle)

/etc/init.d/rsyslog restart

Search the firehol.log

Search for potential attacker ips:

 
     grep -o 'SRC=[[:digit:]]\{1,3\}.[[:digit:]]\{1,3\}.[[:digit:]]\{1,3\}.[[:digit:]]\{1,3\}' /var/log/firehol.log | sed 's/SRC=//' | sort -u
   

Check for destinations ports:

 
    grep -o 'DPT=[[:digit:]]\+' /var/log/firehol.log | sed 's/DPT=//' | sort -un