dmesg flooded with firewall logs
Clash Royale CLAN TAG#URR8PPP
In my iptables, I have a rule which logs dropped packets:
-A INPUT -i eth0 -j LOG --log-prefix "FW: " --log-level 7
-A INPUT -i eth0 -j DROP
And in /etc/rsyslog.conf, I have another rule which sends these logs to a dedicated file /var/log/firewall.log.
:msg, contains, "FW: " -/var/log/firewall.log
& ~
The & ~ deletes the logs immediately, so that they don't flood syslog or other log files.
This works well, except that it floods dmesg with those firewall logs (not /var/log/dmesg but the output of command dmesg).
Is there a way to prevent these logs being shown in dmesg ?
logs iptables rsyslog
edited May 11 '14 at 22:19
Gilles
537k12810871604
asked May 11 '14 at 18:58
Martin VegterMartin Vegter
25536126239
add a comment |
In my iptables, I have a rule which logs dropped packets:
-A INPUT -i eth0 -j LOG --log-prefix "FW: " --log-level 7
-A INPUT -i eth0 -j DROP
And in /etc/rsyslog.conf, I have another rule which sends these logs to a dedicated file /var/log/firewall.log.
:msg, contains, "FW: " -/var/log/firewall.log
& ~
The & ~ deletes the logs immediately, so that they don't flood syslog or other log files.
This works well, except that it floods dmesg with those firewall logs (not /var/log/dmesg but the output of command dmesg).
Is there a way to prevent these logs being shown in dmesg ?
logs iptables rsyslog
edited May 11 '14 at 22:19
Gilles
537k12810871604
asked May 11 '14 at 18:58
Martin VegterMartin Vegter
25536126239
What's the point in logging everything anyway?
– 0xC0000022L
May 11 '14 at 19:26
1
It's really no good idea to log all dropped packets. Better thing than eliminating the symptoms would be being more specific with your logging rule. E.g. it's not very wise to log any packets that are not related to any connection and don't do anything »special« (like connection initation). Would be much better to cut this down to relevant things like »Host A wanted to connect to port B«. Potentially the number of reasons a packet is dropped is massively greater than the number of reasons you would drop it for a relevant reason.
– Andreas Wiese
May 11 '14 at 21:47
1
@Andreas Wiese - I have simplified my rule for the sake of this question. My rules are more sophisticated and specific. But anyway, the question is how to preventdmesgbeing flooded, not about firewall rules.
– Martin Vegter
May 12 '14 at 7:13
add a comment |
In my iptables, I have a rule which logs dropped packets:
-A INPUT -i eth0 -j LOG --log-prefix "FW: " --log-level 7
-A INPUT -i eth0 -j DROP
And in /etc/rsyslog.conf, I have another rule which sends these logs to a dedicated file /var/log/firewall.log.
:msg, contains, "FW: " -/var/log/firewall.log
& ~
The & ~ deletes the logs immediately, so that they don't flood syslog or other log files.
This works well, except that it floods dmesg with those firewall logs (not /var/log/dmesg but the output of command dmesg).
Is there a way to prevent these logs being shown in dmesg ?
logs iptables rsyslog
edited May 11 '14 at 22:19
Gilles
537k12810871604
asked May 11 '14 at 18:58
Martin VegterMartin Vegter
25536126239
In my iptables, I have a rule which logs dropped packets:
-A INPUT -i eth0 -j LOG --log-prefix "FW: " --log-level 7
-A INPUT -i eth0 -j DROP
And in /etc/rsyslog.conf, I have another rule which sends these logs to a dedicated file /var/log/firewall.log.
:msg, contains, "FW: " -/var/log/firewall.log
& ~
The & ~ deletes the logs immediately, so that they don't flood syslog or other log files.
This works well, except that it floods dmesg with those firewall logs (not /var/log/dmesg but the output of command dmesg).
Is there a way to prevent these logs being shown in dmesg ?
logs iptables rsyslog
logs iptables rsyslog
edited May 11 '14 at 22:19
Gilles
537k12810871604
asked May 11 '14 at 18:58
Martin VegterMartin Vegter
25536126239
edited May 11 '14 at 22:19
Gilles
537k12810871604
asked May 11 '14 at 18:58
Martin VegterMartin Vegter
25536126239
edited May 11 '14 at 22:19
Gilles
537k12810871604
edited May 11 '14 at 22:19
Gilles
537k12810871604
edited May 11 '14 at 22:19
Gilles
537k12810871604
537k12810871604
asked May 11 '14 at 18:58
Martin VegterMartin Vegter
25536126239
asked May 11 '14 at 18:58
Martin VegterMartin Vegter
25536126239
asked May 11 '14 at 18:58
Martin VegterMartin Vegter
25536126239
25536126239
What's the point in logging everything anyway?
– 0xC0000022L
May 11 '14 at 19:26
1
It's really no good idea to log all dropped packets. Better thing than eliminating the symptoms would be being more specific with your logging rule. E.g. it's not very wise to log any packets that are not related to any connection and don't do anything »special« (like connection initation). Would be much better to cut this down to relevant things like »Host A wanted to connect to port B«. Potentially the number of reasons a packet is dropped is massively greater than the number of reasons you would drop it for a relevant reason.
– Andreas Wiese
May 11 '14 at 21:47
1
@Andreas Wiese - I have simplified my rule for the sake of this question. My rules are more sophisticated and specific. But anyway, the question is how to preventdmesgbeing flooded, not about firewall rules.
– Martin Vegter
May 12 '14 at 7:13
add a comment |
What's the point in logging everything anyway?
– 0xC0000022L
May 11 '14 at 19:26
1
It's really no good idea to log all dropped packets. Better thing than eliminating the symptoms would be being more specific with your logging rule. E.g. it's not very wise to log any packets that are not related to any connection and don't do anything »special« (like connection initation). Would be much better to cut this down to relevant things like »Host A wanted to connect to port B«. Potentially the number of reasons a packet is dropped is massively greater than the number of reasons you would drop it for a relevant reason.
– Andreas Wiese
May 11 '14 at 21:47
1
@Andreas Wiese - I have simplified my rule for the sake of this question. My rules are more sophisticated and specific. But anyway, the question is how to preventdmesgbeing flooded, not about firewall rules.
– Martin Vegter
May 12 '14 at 7:13
What's the point in logging everything anyway?
– 0xC0000022L
May 11 '14 at 19:26
What's the point in logging everything anyway?
– 0xC0000022L
May 11 '14 at 19:26
1
1
It's really no good idea to log all dropped packets. Better thing than eliminating the symptoms would be being more specific with your logging rule. E.g. it's not very wise to log any packets that are not related to any connection and don't do anything »special« (like connection initation). Would be much better to cut this down to relevant things like »Host A wanted to connect to port B«. Potentially the number of reasons a packet is dropped is massively greater than the number of reasons you would drop it for a relevant reason.
– Andreas Wiese
May 11 '14 at 21:47
It's really no good idea to log all dropped packets. Better thing than eliminating the symptoms would be being more specific with your logging rule. E.g. it's not very wise to log any packets that are not related to any connection and don't do anything »special« (like connection initation). Would be much better to cut this down to relevant things like »Host A wanted to connect to port B«. Potentially the number of reasons a packet is dropped is massively greater than the number of reasons you would drop it for a relevant reason.
– Andreas Wiese
May 11 '14 at 21:47
1
1
@Andreas Wiese - I have simplified my rule for the sake of this question. My rules are more sophisticated and specific. But anyway, the question is how to prevent
dmesg being flooded, not about firewall rules.– Martin Vegter
May 12 '14 at 7:13
@Andreas Wiese - I have simplified my rule for the sake of this question. My rules are more sophisticated and specific. But anyway, the question is how to prevent
dmesg being flooded, not about firewall rules.– Martin Vegter
May 12 '14 at 7:13
add a comment |
4 Answers
4
active
oldest
votes
You could use the NFLOG target instead of LOG:
NFLOG
This target provides logging of matching packets. When this target is set for a
rule, the Linux kernel will pass the packet to the loaded logging backend to log the
packet. This is usually used in combination with nfnetlink_log as logging backend,
which will multicast the packet through a netlink socket to the specified multicast
group. One or more userspace processes may subscribe to the group to receive the
packets. Like LOG, this is a non-terminating target, i.e. rule traversal continues
at the next rule.
All you'd need is a nfnetlink_log capable logging program. Messages would go there and the userspace process would decide whether to log the packet or not.
Another thing you could try would be limiting the LOG rule to a specific threshold:
-A INPUT -i eth0 -m limit --limit 10/minutes -j LOG --log-prefix "FW: " --log-level 7
-A INPUT -i eth0 -j DROP
This would on average log 10 packets per minute. You could of course adjust this at your needs.
answered May 12 '14 at 9:42
Andreas WieseAndreas Wiese
7,6892234
I was not able to find any information how to configurersyslogto logNFLOGpackets. I need some solution that will work withrsyslog.
– Martin Vegter
May 20 '14 at 21:25
1
@MartinVegter - NFLOG will work with rsyslog. For NFLOG, you would use ulogd (I think ulogd2 is needed) as the go-between. It will listen on the netlink socket to get the logs, and deliver them (as configured) to syslog. If ulogd2 is not available, use ulogd (1.x) and the ULOG target.
– Christopher Cashell
May 7 '15 at 15:28
add a comment |
It may be related to the log-level you are using in iptables. As I understand it from the rsyslog documentation log levels are: "The priority is one of the following keywords, in ascending order: debug, info, notice, warning, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same as emerg)." What about trying to specify the log level in iptables by using its name, i.e. 'notice'.
Well serves me right for posting without checking as I now think that is not the issue at all. I implemented a similar scheme to that outlined above and I get the same issue. My centos 7 kernel is v3.10.0 and apparently since v3.5 it seems that kernel logging is done using /dev/kmsg and I presume dmesg somehow gets its input from there.
answered Jul 28 '14 at 2:24
VaughanRVaughanR
11
add a comment |
When you have set the log level to 7 with the command:
-A INPUT -i eth0 -j LOG --log-prefix "FW: " --log-level 7
Then you can simply filter out these messages by passing the level threshold to the dmesg:
dmesg --level=err,warn
answered Jan 28 at 9:35
peakpeak
1
add a comment |
Why do you care? dmesg is a low-level tool to print recent kernel messages, and you did ask for the kernel to log dropped packets.
Configure your system's syslog system to log iptables messages in a separate log file from other kernel messages, and use the log files that it writes instead of dmesg.
answered Jul 28 '14 at 8:05
Colin PhippsColin Phipps
974
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f128949%2fdmesg-flooded-with-firewall-logs%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
You could use the NFLOG target instead of LOG:
NFLOG
This target provides logging of matching packets. When this target is set for a
rule, the Linux kernel will pass the packet to the loaded logging backend to log the
packet. This is usually used in combination with nfnetlink_log as logging backend,
which will multicast the packet through a netlink socket to the specified multicast
group. One or more userspace processes may subscribe to the group to receive the
packets. Like LOG, this is a non-terminating target, i.e. rule traversal continues
at the next rule.
All you'd need is a nfnetlink_log capable logging program. Messages would go there and the userspace process would decide whether to log the packet or not.
Another thing you could try would be limiting the LOG rule to a specific threshold:
-A INPUT -i eth0 -m limit --limit 10/minutes -j LOG --log-prefix "FW: " --log-level 7
-A INPUT -i eth0 -j DROP
This would on average log 10 packets per minute. You could of course adjust this at your needs.
answered May 12 '14 at 9:42
Andreas WieseAndreas Wiese
7,6892234
I was not able to find any information how to configurersyslogto logNFLOGpackets. I need some solution that will work withrsyslog.
– Martin Vegter
May 20 '14 at 21:25
1
@MartinVegter - NFLOG will work with rsyslog. For NFLOG, you would use ulogd (I think ulogd2 is needed) as the go-between. It will listen on the netlink socket to get the logs, and deliver them (as configured) to syslog. If ulogd2 is not available, use ulogd (1.x) and the ULOG target.
– Christopher Cashell
May 7 '15 at 15:28
add a comment |
You could use the NFLOG target instead of LOG:
NFLOG
This target provides logging of matching packets. When this target is set for a
rule, the Linux kernel will pass the packet to the loaded logging backend to log the
packet. This is usually used in combination with nfnetlink_log as logging backend,
which will multicast the packet through a netlink socket to the specified multicast
group. One or more userspace processes may subscribe to the group to receive the
packets. Like LOG, this is a non-terminating target, i.e. rule traversal continues
at the next rule.
All you'd need is a nfnetlink_log capable logging program. Messages would go there and the userspace process would decide whether to log the packet or not.
Another thing you could try would be limiting the LOG rule to a specific threshold:
-A INPUT -i eth0 -m limit --limit 10/minutes -j LOG --log-prefix "FW: " --log-level 7
-A INPUT -i eth0 -j DROP
This would on average log 10 packets per minute. You could of course adjust this at your needs.
answered May 12 '14 at 9:42
Andreas WieseAndreas Wiese
7,6892234
I was not able to find any information how to configurersyslogto logNFLOGpackets. I need some solution that will work withrsyslog.
– Martin Vegter
May 20 '14 at 21:25
1
@MartinVegter - NFLOG will work with rsyslog. For NFLOG, you would use ulogd (I think ulogd2 is needed) as the go-between. It will listen on the netlink socket to get the logs, and deliver them (as configured) to syslog. If ulogd2 is not available, use ulogd (1.x) and the ULOG target.
– Christopher Cashell
May 7 '15 at 15:28
add a comment |
You could use the NFLOG target instead of LOG:
NFLOG
This target provides logging of matching packets. When this target is set for a
rule, the Linux kernel will pass the packet to the loaded logging backend to log the
packet. This is usually used in combination with nfnetlink_log as logging backend,
which will multicast the packet through a netlink socket to the specified multicast
group. One or more userspace processes may subscribe to the group to receive the
packets. Like LOG, this is a non-terminating target, i.e. rule traversal continues
at the next rule.
All you'd need is a nfnetlink_log capable logging program. Messages would go there and the userspace process would decide whether to log the packet or not.
Another thing you could try would be limiting the LOG rule to a specific threshold:
-A INPUT -i eth0 -m limit --limit 10/minutes -j LOG --log-prefix "FW: " --log-level 7
-A INPUT -i eth0 -j DROP
This would on average log 10 packets per minute. You could of course adjust this at your needs.
answered May 12 '14 at 9:42
Andreas WieseAndreas Wiese
7,6892234
You could use the NFLOG target instead of LOG:
NFLOG
This target provides logging of matching packets. When this target is set for a
rule, the Linux kernel will pass the packet to the loaded logging backend to log the
packet. This is usually used in combination with nfnetlink_log as logging backend,
which will multicast the packet through a netlink socket to the specified multicast
group. One or more userspace processes may subscribe to the group to receive the
packets. Like LOG, this is a non-terminating target, i.e. rule traversal continues
at the next rule.
All you'd need is a nfnetlink_log capable logging program. Messages would go there and the userspace process would decide whether to log the packet or not.
Another thing you could try would be limiting the LOG rule to a specific threshold:
-A INPUT -i eth0 -m limit --limit 10/minutes -j LOG --log-prefix "FW: " --log-level 7
-A INPUT -i eth0 -j DROP
This would on average log 10 packets per minute. You could of course adjust this at your needs.
answered May 12 '14 at 9:42
Andreas WieseAndreas Wiese
7,6892234
answered May 12 '14 at 9:42
Andreas WieseAndreas Wiese
7,6892234
answered May 12 '14 at 9:42
Andreas WieseAndreas Wiese
7,6892234
answered May 12 '14 at 9:42
Andreas WieseAndreas Wiese
7,6892234
7,6892234
I was not able to find any information how to configurersyslogto logNFLOGpackets. I need some solution that will work withrsyslog.
– Martin Vegter
May 20 '14 at 21:25
1
@MartinVegter - NFLOG will work with rsyslog. For NFLOG, you would use ulogd (I think ulogd2 is needed) as the go-between. It will listen on the netlink socket to get the logs, and deliver them (as configured) to syslog. If ulogd2 is not available, use ulogd (1.x) and the ULOG target.
– Christopher Cashell
May 7 '15 at 15:28
add a comment |
I was not able to find any information how to configurersyslogto logNFLOGpackets. I need some solution that will work withrsyslog.
– Martin Vegter
May 20 '14 at 21:25
1
@MartinVegter - NFLOG will work with rsyslog. For NFLOG, you would use ulogd (I think ulogd2 is needed) as the go-between. It will listen on the netlink socket to get the logs, and deliver them (as configured) to syslog. If ulogd2 is not available, use ulogd (1.x) and the ULOG target.
– Christopher Cashell
May 7 '15 at 15:28
I was not able to find any information how to configure
rsyslog to log NFLOG packets. I need some solution that will work with rsyslog.– Martin Vegter
May 20 '14 at 21:25
I was not able to find any information how to configure
rsyslog to log NFLOG packets. I need some solution that will work with rsyslog.– Martin Vegter
May 20 '14 at 21:25
1
1
@MartinVegter - NFLOG will work with rsyslog. For NFLOG, you would use ulogd (I think ulogd2 is needed) as the go-between. It will listen on the netlink socket to get the logs, and deliver them (as configured) to syslog. If ulogd2 is not available, use ulogd (1.x) and the ULOG target.
– Christopher Cashell
May 7 '15 at 15:28
@MartinVegter - NFLOG will work with rsyslog. For NFLOG, you would use ulogd (I think ulogd2 is needed) as the go-between. It will listen on the netlink socket to get the logs, and deliver them (as configured) to syslog. If ulogd2 is not available, use ulogd (1.x) and the ULOG target.
– Christopher Cashell
May 7 '15 at 15:28
add a comment |
It may be related to the log-level you are using in iptables. As I understand it from the rsyslog documentation log levels are: "The priority is one of the following keywords, in ascending order: debug, info, notice, warning, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same as emerg)." What about trying to specify the log level in iptables by using its name, i.e. 'notice'.
Well serves me right for posting without checking as I now think that is not the issue at all. I implemented a similar scheme to that outlined above and I get the same issue. My centos 7 kernel is v3.10.0 and apparently since v3.5 it seems that kernel logging is done using /dev/kmsg and I presume dmesg somehow gets its input from there.
answered Jul 28 '14 at 2:24
VaughanRVaughanR
11
add a comment |
It may be related to the log-level you are using in iptables. As I understand it from the rsyslog documentation log levels are: "The priority is one of the following keywords, in ascending order: debug, info, notice, warning, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same as emerg)." What about trying to specify the log level in iptables by using its name, i.e. 'notice'.
Well serves me right for posting without checking as I now think that is not the issue at all. I implemented a similar scheme to that outlined above and I get the same issue. My centos 7 kernel is v3.10.0 and apparently since v3.5 it seems that kernel logging is done using /dev/kmsg and I presume dmesg somehow gets its input from there.
answered Jul 28 '14 at 2:24
VaughanRVaughanR
11
add a comment |
It may be related to the log-level you are using in iptables. As I understand it from the rsyslog documentation log levels are: "The priority is one of the following keywords, in ascending order: debug, info, notice, warning, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same as emerg)." What about trying to specify the log level in iptables by using its name, i.e. 'notice'.
Well serves me right for posting without checking as I now think that is not the issue at all. I implemented a similar scheme to that outlined above and I get the same issue. My centos 7 kernel is v3.10.0 and apparently since v3.5 it seems that kernel logging is done using /dev/kmsg and I presume dmesg somehow gets its input from there.
answered Jul 28 '14 at 2:24
VaughanRVaughanR
11
It may be related to the log-level you are using in iptables. As I understand it from the rsyslog documentation log levels are: "The priority is one of the following keywords, in ascending order: debug, info, notice, warning, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same as emerg)." What about trying to specify the log level in iptables by using its name, i.e. 'notice'.
Well serves me right for posting without checking as I now think that is not the issue at all. I implemented a similar scheme to that outlined above and I get the same issue. My centos 7 kernel is v3.10.0 and apparently since v3.5 it seems that kernel logging is done using /dev/kmsg and I presume dmesg somehow gets its input from there.
answered Jul 28 '14 at 2:24
VaughanRVaughanR
11
edited Jul 28 '14 at 22:01
answered Jul 28 '14 at 2:24
VaughanRVaughanR
11
answered Jul 28 '14 at 2:24
VaughanRVaughanR
11
answered Jul 28 '14 at 2:24
VaughanRVaughanR
11
11
add a comment |
add a comment |
When you have set the log level to 7 with the command:
-A INPUT -i eth0 -j LOG --log-prefix "FW: " --log-level 7
Then you can simply filter out these messages by passing the level threshold to the dmesg:
dmesg --level=err,warn
answered Jan 28 at 9:35
peakpeak
1
add a comment |
When you have set the log level to 7 with the command:
-A INPUT -i eth0 -j LOG --log-prefix "FW: " --log-level 7
Then you can simply filter out these messages by passing the level threshold to the dmesg:
dmesg --level=err,warn
answered Jan 28 at 9:35
peakpeak
1
add a comment |
When you have set the log level to 7 with the command:
-A INPUT -i eth0 -j LOG --log-prefix "FW: " --log-level 7
Then you can simply filter out these messages by passing the level threshold to the dmesg:
dmesg --level=err,warn
answered Jan 28 at 9:35
peakpeak
1
When you have set the log level to 7 with the command:
-A INPUT -i eth0 -j LOG --log-prefix "FW: " --log-level 7
Then you can simply filter out these messages by passing the level threshold to the dmesg:
dmesg --level=err,warn
answered Jan 28 at 9:35
peakpeak
1
answered Jan 28 at 9:35
peakpeak
1
answered Jan 28 at 9:35
peakpeak
1
answered Jan 28 at 9:35
peakpeak
1
1
add a comment |
add a comment |
Why do you care? dmesg is a low-level tool to print recent kernel messages, and you did ask for the kernel to log dropped packets.
Configure your system's syslog system to log iptables messages in a separate log file from other kernel messages, and use the log files that it writes instead of dmesg.
answered Jul 28 '14 at 8:05
Colin PhippsColin Phipps
974
add a comment |
Why do you care? dmesg is a low-level tool to print recent kernel messages, and you did ask for the kernel to log dropped packets.
Configure your system's syslog system to log iptables messages in a separate log file from other kernel messages, and use the log files that it writes instead of dmesg.
answered Jul 28 '14 at 8:05
Colin PhippsColin Phipps
974
add a comment |
Why do you care? dmesg is a low-level tool to print recent kernel messages, and you did ask for the kernel to log dropped packets.
Configure your system's syslog system to log iptables messages in a separate log file from other kernel messages, and use the log files that it writes instead of dmesg.
answered Jul 28 '14 at 8:05
Colin PhippsColin Phipps
974
Why do you care? dmesg is a low-level tool to print recent kernel messages, and you did ask for the kernel to log dropped packets.
Configure your system's syslog system to log iptables messages in a separate log file from other kernel messages, and use the log files that it writes instead of dmesg.
answered Jul 28 '14 at 8:05
Colin PhippsColin Phipps
974
answered Jul 28 '14 at 8:05
Colin PhippsColin Phipps
974
answered Jul 28 '14 at 8:05
Colin PhippsColin Phipps
974
answered Jul 28 '14 at 8:05
Colin PhippsColin Phipps
974
974
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f128949%2fdmesg-flooded-with-firewall-logs%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
What's the point in logging everything anyway?
– 0xC0000022L
May 11 '14 at 19:26
1
It's really no good idea to log all dropped packets. Better thing than eliminating the symptoms would be being more specific with your logging rule. E.g. it's not very wise to log any packets that are not related to any connection and don't do anything »special« (like connection initation). Would be much better to cut this down to relevant things like »Host A wanted to connect to port B«. Potentially the number of reasons a packet is dropped is massively greater than the number of reasons you would drop it for a relevant reason.
– Andreas Wiese
May 11 '14 at 21:47
1
@Andreas Wiese - I have simplified my rule for the sake of this question. My rules are more sophisticated and specific. But anyway, the question is how to prevent
dmesgbeing flooded, not about firewall rules.– Martin Vegter
May 12 '14 at 7:13