Firehol logging into custom log file instead of /var/log/messages

From Andreida
Revision as of 11:33, 16 February 2016 by Andreas (talk | contribs) (Created page with "In /etc/firehol/firehol.conf add FIREHOL_LOG_PREFIX="firehol: " Now all messages get this prefix and can get recognized. Now tell rsyslog to log all messages from firehol...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

In /etc/firehol/firehol.conf add 

 FIREHOL_LOG_PREFIX="firehol: "

Now all messages get this prefix and can get recognized.


Now tell rsyslog to log all messages from firehol to a custom file and then do nothing else with these messages in /etc/rsyslog.d/firehol.conf 

 :msg, contains, "firehol: " -/var/log/firehol.log
 & ~

Logfile rotation in /etc/logrotate.d/firehol 

/var/log/firehol.log
{
   rotate 7
   daily
   missingok
   notifempty
   delaycompress
   compress
}

(from Quelle) 

/etc/init.d/rsyslog restart

Search the firehol.log

Search for potential attacker ips: 

 
     grep -o 'SRC=[[:digit:]]\{1,3\}.[[:digit:]]\{1,3\}.[[:digit:]]\{1,3\}.[[:digit:]]\{1,3\}' /var/log/firehol.log | sed 's/SRC=//' | sort -u

Check for destinations ports: 

 
    grep -o 'DPT=[[:digit:]]\+' /var/log/firehol.log | sed 's/DPT=//' | sort -un
Retrieved from "http://wiki.andreas-duffner.de/index.php?title=Firehol_logging_into_custom_log_file_instead_of_/var/log/messages&oldid=96"