Proposition Scénario #20325
Mis à jour par Daniel Dehennin il y a presque 9 ans
h3. Problème
Les journaux iptables ne semblent pas être filtrés correctement par nos règles rsyslog.
h3. Demande initiale
Après avoir testé les différents niveaux de log pour les iptables, je me suis aperçu que seul /var/log/rsyslog/local/iptables/iptables.warning.log était abondé par la règle _iptables -A ext-bas -i eth0 -m limit --limit 2/sec -j LOG --log-prefix "iptables connection attempt: "_.
Les autres logs sont envoyés dans /var/log/syslog pour les niveaux 0, 1, 2, et 3 et /var/log/rsyslog/local/kernel/kernel.*.log
<pre>
root@amon25-dsden02:~# iptables -I OUTPUT -d 8.8.8.8 -j LOG --log-prefix "TEST-LOG--DEFAUT "
root@amon25-dsden02:~# iptables -I OUTPUT -d 8.8.8.8 -j LOG --log-prefix "TEST-LOG--7-debug " --log-level 7
root@amon25-dsden02:~# iptables -I OUTPUT -d 8.8.8.8 -j LOG --log-prefix "TEST-LOG--6-info " --log-level 6
root@amon25-dsden02:~# iptables -I OUTPUT -d 8.8.8.8 -j LOG --log-prefix "TEST-LOG--5-notice " --log-level 5
root@amon25-dsden02:~# iptables -I OUTPUT -d 8.8.8.8 -j LOG --log-prefix "TEST-LOG--4-warning " --log-level 4
root@amon25-dsden02:~# iptables -I OUTPUT -d 8.8.8.8 -j LOG --log-prefix "TEST-LOG--3-error " --log-level 3
root@amon25-dsden02:~# iptables -I OUTPUT -d 8.8.8.8 -j LOG --log-prefix "TEST-LOG--2-crit " --log-level 2
root@amon25-dsden02:~# iptables -I OUTPUT -d 8.8.8.8 -j LOG --log-prefix "TEST-LOG--1-alert " --log-level 1
root@amon25-dsden02:~# iptables -I OUTPUT -d 8.8.8.8 -j LOG --log-prefix "TEST-LOG--0-emerg " --log-level 0
root@amon25-dsden02:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=55 time=677 ms
^C
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 4.195/4.195/4.195/0.000 ms
root@amon25-dsden02:~# grep TEST-LOG-- /var/log/* -R
/var/log/rsyslog/local/kernel/kernel.emerg.log:2017-04-27T09:38:08.913948+02:00 amon25-dsden02.dsden02.in.ac-amiens.fr kernel: [40746.365791] TEST-LOG--0-emerg IN= OUT=eth0 SRC=10.67.128.240 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=51566 DF PROTO=ICMP TYPE=8 CODE=0 ID=31811 SEQ=1
/var/log/rsyslog/local/kernel/kernel.warning.log:2017-04-27T09:38:08.914001+02:00 amon25-dsden02.dsden02.in.ac-amiens.fr kernel: [40746.366455] TEST-LOG--4-warning IN= OUT=eth0 SRC=10.67.128.240 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=51566 DF PROTO=ICMP TYPE=8 CODE=0 ID=31811 SEQ=1
/var/log/rsyslog/local/kernel/kernel.warning.log:2017-04-27T09:38:08.914020+02:00 amon25-dsden02.dsden02.in.ac-amiens.fr kernel: [40746.366480] TEST-LOG--DEFAUT IN= OUT=eth0 SRC=10.67.128.240 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=51566 DF PROTO=ICMP TYPE=8 CODE=0 ID=31811 SEQ=1
/var/log/rsyslog/local/kernel/kernel.alert.log:2017-04-27T09:38:08.913971+02:00 amon25-dsden02.dsden02.in.ac-amiens.fr kernel: [40746.366434] TEST-LOG--1-alert IN= OUT=eth0 SRC=10.67.128.240 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=51566 DF PROTO=ICMP TYPE=8 CODE=0 ID=31811 SEQ=1
/var/log/syslog:2017-04-27T09:38:08.913948+02:00 amon25-dsden02.dsden02.in.ac-amiens.fr kernel: [40746.365791] TEST-LOG--0-emerg IN= OUT=eth0 SRC=10.67.128.240 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=51566 DF PROTO=ICMP TYPE=8 CODE=0 ID=31811 SEQ=1
/var/log/syslog:2017-04-27T09:38:08.913971+02:00 amon25-dsden02.dsden02.in.ac-amiens.fr kernel: [40746.366434] TEST-LOG--1-alert IN= OUT=eth0 SRC=10.67.128.240 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=51566 DF PROTO=ICMP TYPE=8 CODE=0 ID=31811 SEQ=1
/var/log/syslog:2017-04-27T09:38:08.913980+02:00 amon25-dsden02.dsden02.in.ac-amiens.fr kernel: [40746.366442] TEST-LOG--2-crit IN= OUT=eth0 SRC=10.67.128.240 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=51566 DF PROTO=ICMP TYPE=8 CODE=0 ID=31811 SEQ=1
/var/log/syslog:2017-04-27T09:38:08.913985+02:00 amon25-dsden02.dsden02.in.ac-amiens.fr kernel: [40746.366449] TEST-LOG--3-error IN= OUT=eth0 SRC=10.67.128.240 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=51566 DF PROTO=ICMP TYPE=8 CODE=0 ID=31811 SEQ=1
root@amon25-dsden02:~#
</pre>
Comment faire pour envoyer des logs iptables dans /var/log/rsyslog/local/iptables/iptables.*.log ?
Les journaux iptables ne semblent pas être filtrés correctement par nos règles rsyslog.
h3. Demande initiale
Après avoir testé les différents niveaux de log pour les iptables, je me suis aperçu que seul /var/log/rsyslog/local/iptables/iptables.warning.log était abondé par la règle _iptables -A ext-bas -i eth0 -m limit --limit 2/sec -j LOG --log-prefix "iptables connection attempt: "_.
Les autres logs sont envoyés dans /var/log/syslog pour les niveaux 0, 1, 2, et 3 et /var/log/rsyslog/local/kernel/kernel.*.log
<pre>
root@amon25-dsden02:~# iptables -I OUTPUT -d 8.8.8.8 -j LOG --log-prefix "TEST-LOG--DEFAUT "
root@amon25-dsden02:~# iptables -I OUTPUT -d 8.8.8.8 -j LOG --log-prefix "TEST-LOG--7-debug " --log-level 7
root@amon25-dsden02:~# iptables -I OUTPUT -d 8.8.8.8 -j LOG --log-prefix "TEST-LOG--6-info " --log-level 6
root@amon25-dsden02:~# iptables -I OUTPUT -d 8.8.8.8 -j LOG --log-prefix "TEST-LOG--5-notice " --log-level 5
root@amon25-dsden02:~# iptables -I OUTPUT -d 8.8.8.8 -j LOG --log-prefix "TEST-LOG--4-warning " --log-level 4
root@amon25-dsden02:~# iptables -I OUTPUT -d 8.8.8.8 -j LOG --log-prefix "TEST-LOG--3-error " --log-level 3
root@amon25-dsden02:~# iptables -I OUTPUT -d 8.8.8.8 -j LOG --log-prefix "TEST-LOG--2-crit " --log-level 2
root@amon25-dsden02:~# iptables -I OUTPUT -d 8.8.8.8 -j LOG --log-prefix "TEST-LOG--1-alert " --log-level 1
root@amon25-dsden02:~# iptables -I OUTPUT -d 8.8.8.8 -j LOG --log-prefix "TEST-LOG--0-emerg " --log-level 0
root@amon25-dsden02:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=55 time=677 ms
^C
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 4.195/4.195/4.195/0.000 ms
root@amon25-dsden02:~# grep TEST-LOG-- /var/log/* -R
/var/log/rsyslog/local/kernel/kernel.emerg.log:2017-04-27T09:38:08.913948+02:00 amon25-dsden02.dsden02.in.ac-amiens.fr kernel: [40746.365791] TEST-LOG--0-emerg IN= OUT=eth0 SRC=10.67.128.240 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=51566 DF PROTO=ICMP TYPE=8 CODE=0 ID=31811 SEQ=1
/var/log/rsyslog/local/kernel/kernel.warning.log:2017-04-27T09:38:08.914001+02:00 amon25-dsden02.dsden02.in.ac-amiens.fr kernel: [40746.366455] TEST-LOG--4-warning IN= OUT=eth0 SRC=10.67.128.240 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=51566 DF PROTO=ICMP TYPE=8 CODE=0 ID=31811 SEQ=1
/var/log/rsyslog/local/kernel/kernel.warning.log:2017-04-27T09:38:08.914020+02:00 amon25-dsden02.dsden02.in.ac-amiens.fr kernel: [40746.366480] TEST-LOG--DEFAUT IN= OUT=eth0 SRC=10.67.128.240 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=51566 DF PROTO=ICMP TYPE=8 CODE=0 ID=31811 SEQ=1
/var/log/rsyslog/local/kernel/kernel.alert.log:2017-04-27T09:38:08.913971+02:00 amon25-dsden02.dsden02.in.ac-amiens.fr kernel: [40746.366434] TEST-LOG--1-alert IN= OUT=eth0 SRC=10.67.128.240 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=51566 DF PROTO=ICMP TYPE=8 CODE=0 ID=31811 SEQ=1
/var/log/syslog:2017-04-27T09:38:08.913948+02:00 amon25-dsden02.dsden02.in.ac-amiens.fr kernel: [40746.365791] TEST-LOG--0-emerg IN= OUT=eth0 SRC=10.67.128.240 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=51566 DF PROTO=ICMP TYPE=8 CODE=0 ID=31811 SEQ=1
/var/log/syslog:2017-04-27T09:38:08.913971+02:00 amon25-dsden02.dsden02.in.ac-amiens.fr kernel: [40746.366434] TEST-LOG--1-alert IN= OUT=eth0 SRC=10.67.128.240 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=51566 DF PROTO=ICMP TYPE=8 CODE=0 ID=31811 SEQ=1
/var/log/syslog:2017-04-27T09:38:08.913980+02:00 amon25-dsden02.dsden02.in.ac-amiens.fr kernel: [40746.366442] TEST-LOG--2-crit IN= OUT=eth0 SRC=10.67.128.240 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=51566 DF PROTO=ICMP TYPE=8 CODE=0 ID=31811 SEQ=1
/var/log/syslog:2017-04-27T09:38:08.913985+02:00 amon25-dsden02.dsden02.in.ac-amiens.fr kernel: [40746.366449] TEST-LOG--3-error IN= OUT=eth0 SRC=10.67.128.240 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=51566 DF PROTO=ICMP TYPE=8 CODE=0 ID=31811 SEQ=1
root@amon25-dsden02:~#
</pre>
Comment faire pour envoyer des logs iptables dans /var/log/rsyslog/local/iptables/iptables.*.log ?