FS#5997 - [syslog-ng 2.0.0] iptables logs are found in /var/log/kernel.log
            Attached to Project:
            Arch Linux
            
Opened by solsTiCe (zebul666) - Tuesday, 12 December 2006, 18:56 GMT
Last edited by Tobias Powalowski (tpowa) - Thursday, 25 October 2007, 10:06 GMT
          Opened by solsTiCe (zebul666) - Tuesday, 12 December 2006, 18:56 GMT
Last edited by Tobias Powalowski (tpowa) - Thursday, 25 October 2007, 10:06 GMT
| 
 | Details
                    hi. with the previous syslog-ng 1.6.10 and the new 2.0.0, i got iptables log in /var/log/kernel.log. but i except them to be only in /var/log/iptables.log and not in both iptables.log and kernel.log. is it a matter of taste ? so i changed my syslog-ng.conf line 49 to this : filter f_kernel { facility(kern) and not match("IN=.*OUT="); }; that expression "match('IN.*OUT=") appears now in 3 places in syslog-ng.conf. may be there is some better to filter iptables log ? by default they came from kernel facility at info level ? p.s.: i wonder why cron messages are included in messages.log while they are already logged in crond.log ! duplicate log then again ! line 57 of syslog-ng.conf could be changed to filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news, cron) and not program(syslog-ng) and not match("IN=.*OUT="); }; do as you wish ! :-) | 
              This task depends upon
              
              
            
            
          
            Closed by  Tobias Powalowski (tpowa)
Thursday, 25 October 2007, 10:06 GMT
Reason for closing: Fixed
Additional comments about closing: syslog-ng-2.0.5-4
          
        Thursday, 25 October 2007, 10:06 GMT
Reason for closing: Fixed
Additional comments about closing: syslog-ng-2.0.5-4
 
                       syslog-ng.conf.diff
                         syslog-ng.conf.diff
                    
filter f_kernel { facility(kern) and not filter(f_iptables); };
Dec 13 18:45:54 kromka syslog-ng[22569]: Log statistics; processed='center(queued)=145', processed='center(received)=52', processed='destination(console)=0', processed='destination(mail)=0', processed='destination(user)=0', processed='destination(uucp)=0', processed='destination(messages)=21', processed='destination(news)=0', processed='destination(iptables)=0', processed='destination(everything)=52', processed='destination(lpr)=0', processed='destination(cron)=0', processed='destination(syslog)=11', processed='destination(authlog)=0', processed='destination(errors)=20', processed='destination(kernel)=35', processed='destination(daemon)=6', processed='source(src)=52'
This renders the log file unreadable, not mentioning the quick increase of log file size.
See http://www.balabit.com/products/syslog_ng/reference-2.0/syslog-ng.html/index.html for syntax.
I'm very slowly beginning to read up on syslog-ng and I think our default config is far from perfect.
The chapter about pipe() (see the link above) for example even warns about using 'pipe("/proc/kmsg")'
Could it be that you have a "stats(600)" in the options group of your syslog-ng.conf? If yes, than comment it out for a try to see what happens.