File: README.SYSLOG

package info (click to toggle)
psad 1.4.8-1
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 4,756 kB
  • ctags: 1,878
  • sloc: perl: 28,425; ansic: 8,323; makefile: 1,875; sh: 287
file content (49 lines) | stat: -rw-r--r-- 1,999 bytes parent folder | download | duplicates (3)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
TESTING YOUR INSTALLATION:

The psad installer does its best to reconfigure your syslog daemon to write
all kern.info messages (or higher) to the /var/lib/psad/psadfifo named pipe
for analysis.  However, in order to test whether your installation is working
or not, you can do the following as root:

  $ iptables -I INPUT -i lo -p tcp --dport 3003 -j LOG --log-prefix "Inbound "
  $ telnet localhost 3003

Assuming that psad is running, this should generate in /var/log/psad/fwdata
something similar to:

  Jun 15 23:37:33 <your_hostname> kernel: Inbound IN=lo OUT=
  MAC=<mac_addresses> SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x10 PREC=0x00
  TTL=64 ID=47312 DF PROTO=TCP SPT=40945 DPT=3003 WINDOW=32767 RES=0x00 SYN
  URGP=0

Also, executing "psad --Status" should display (among other things) something
like:

    Iptables prefix counters:
        "Inbound": 1


If the /var/log/psad/fwdata file is empty but you are getting messages in the
system log (for example when you type "dmesg" or in /var/log/messages), then
you should make sure that psad has the fifo open:

  $ lsof | grep psadfifo

You should get something along the lines of:

  syslogd     942   root   20u   FIFO  3,5   544097 /var/lib/psad/psadfifo
  kmsgsd    25457   root    0u   FIFO  3,5   544097 /var/lib/psad/psadfifo

The main requirement is that Netfilter logs are getting logged via kern.info
(or at a higher priority such as "warn") by syslog.  The default for the
Netfilter LOG target is log Netfilter messages at the "warn" priority, but
this can be changed with the --log-level option.  For example, to have
Netfilter generate logs at the "info" priority in the INPUT chain, the
following command could be used:

# iptables -A INPUT -j LOG --log-level info

This may help cut down on Netfilter logs being sent to the console if your
syslog.conf instructs syslog to log kernel messages at a "warn" level or
higher to the console device.