File: README.SYSLOG

package info (click to toggle)
psad 2.4.3-1.2~deb9u1
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 3,884 kB
  • sloc: perl: 13,751; ansic: 1,322; sh: 342; makefile: 74
file content (65 lines) | stat: -rw-r--r-- 2,675 bytes parent folder | download | duplicates (4)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

This information is documented in the psad.conf file as well:

By default, psad acquires iptables log data from the /var/log/messages
file which the local syslog daemon (usually) writes iptables log messages
to.  If the ENABLE_SYSLOG_FILE variable is set to "N", then psad
reconfigures syslog to write iptables log data to the
/var/lib/psad/psadfifo fifo file where the messages are picked up by kmsgsd
written to the file /var/log/psad/fwdata for analysis by psad.  On some
systems, having syslog communicate log data to kmsgsd can be problematic
(syslog configs and external factors such as Apparmor and SELinux can play
a role here), so leaving the ENABLE_SYSLOG_FILE variable set to "Y" is
usually recommended.


*** Pre psad-2.1.3 information below ***

TESTING YOUR INSTALLATION:

The psad installer does its best to reconfigure your syslog daemon to write
all kern.info messages (or higher) to the /var/lib/psad/psadfifo named pipe
for analysis.  However, in order to test whether your installation is working
or not, you can do the following as root:

  $ iptables -I INPUT -i lo -p tcp --dport 3003 -j LOG --log-prefix "Inbound "
  $ telnet localhost 3003

Assuming that psad is running, this should generate in /var/log/psad/fwdata
something similar to:

  Jun 15 23:37:33 <your_hostname> kernel: Inbound IN=lo OUT=
  MAC=<mac_addresses> SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x10 PREC=0x00
  TTL=64 ID=47312 DF PROTO=TCP SPT=40945 DPT=3003 WINDOW=32767 RES=0x00 SYN
  URGP=0

Also, executing "psad --Status" should display (among other things) something
like:

    Iptables prefix counters:
        "Inbound": 1


If the /var/log/psad/fwdata file is empty but you are getting messages in the
system log (for example when you type "dmesg" or in /var/log/messages), then
you should make sure that psad has the fifo open:

  $ lsof | grep psadfifo

You should get something along the lines of:

  syslogd     942   root   20u   FIFO  3,5   544097 /var/lib/psad/psadfifo
  kmsgsd    25457   root    0u   FIFO  3,5   544097 /var/lib/psad/psadfifo

The main requirement is that iptables logs are getting logged via kern.info
(or at a higher priority such as "warn") by syslog.  The default for the
iptables LOG target is log iptables messages at the "warn" priority, but
this can be changed with the --log-level option.  For example, to have
iptables generate logs at the "info" priority in the INPUT chain, the
following command could be used:

# iptables -A INPUT -j LOG --log-level info

This may help cut down on iptables logs being sent to the console if your
syslog.conf instructs syslog to log kernel messages at a "warn" level or
higher to the console device.