dmesg flooded with firewall logs

logs iptables rsyslog
11,940

Solution 1

You could use the NFLOG target instead of LOG:

NFLOG
    This target provides logging of matching packets. When this  target  is  set  for  a
    rule, the Linux kernel will pass the packet to the loaded logging backend to log the
    packet. This is usually used in combination with nfnetlink_log as  logging  backend,
    which  will multicast the packet through a netlink socket to the specified multicast
    group. One or more userspace processes may subscribe to the  group  to  receive  the
    packets.  Like  LOG, this is a non-terminating target, i.e. rule traversal continues
    at the next rule.

All you'd need is a nfnetlink_log capable logging program. Messages would go there and the userspace process would decide whether to log the packet or not.

Another thing you could try would be limiting the LOG rule to a specific threshold:

-A INPUT -i eth0 -m limit --limit 10/minutes -j LOG --log-prefix "FW: " --log-level 7
-A INPUT -i eth0 -j DROP

This would on average log 10 packets per minute. You could of course adjust this at your needs.

Solution 2

When you have set the log level to 7 with the command:

-A INPUT -i eth0       -j   LOG  --log-prefix "FW: " --log-level 7

Then you can simply filter out these messages by passing the level threshold to the dmesg:

dmesg --level=err,warn
Share:
11,940

Related videos on Youtube

Tam Borine
Author by

Tam Borine

Updated on September 18, 2022

Comments

  • Tam Borine
    Tam Borine over 1 year

    In my iptables, I have a rule which logs dropped packets:

    -A INPUT -i eth0       -j   LOG  --log-prefix "FW: " --log-level 7
-A INPUT -i eth0       -j   DROP

    And in /etc/rsyslog.conf, I have another rule which sends these logs to a dedicated file /var/log/firewall.log. 

    :msg, contains, "FW: "                    -/var/log/firewall.log
& ~

    The & ~ deletes the logs immediately, so that they don't flood syslog or other log files.

    This works well, except that it floods dmesg with those firewall logs (not /var/log/dmesg but the output of command dmesg).

    Is there a way to prevent these logs being shown in dmesg ?

    • Admin
      Admin almost 10 years
      What's the point in logging everything anyway?
    • Admin
      Admin almost 10 years
      It's really no good idea to log all dropped packets. Better thing than eliminating the symptoms would be being more specific with your logging rule. E.g. it's not very wise to log any packets that are not related to any connection and don't do anything »special« (like connection initation). Would be much better to cut this down to relevant things like »Host A wanted to connect to port B«. Potentially the number of reasons a packet is dropped is massively greater than the number of reasons you would drop it for a relevant reason.
    • Admin
      Admin almost 10 years
      @Andreas Wiese - I have simplified my rule for the sake of this question. My rules are more sophisticated and specific. But anyway, the question is how to prevent dmesg being flooded, not about firewall rules.
    • Admin
      Admin about 5 years
      See also this answer about the Netfilter logging daemon ulogd2. That is how I solved the problem.
  • Tam Borine
    Tam Borine almost 10 years
    I was not able to find any information how to configure rsyslog to log NFLOG packets. I need some solution that will work with rsyslog.
  • uckelman
    uckelman almost 9 years
    @MartinVegter - NFLOG will work with rsyslog. For NFLOG, you would use ulogd (I think ulogd2 is needed) as the go-between. It will listen on the netlink socket to get the logs, and deliver them (as configured) to syslog. If ulogd2 is not available, use ulogd (1.x) and the ULOG target.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Configuring a custom log file for iptables
How to redirect kernel messages having the unique id substring into separate log file (using `rsyslog`)?
Parse syslog messages into separate MySQL tables with rsyslog
How to redirect logs to syslog for an application which doesn't support syslog yet?
Remove Iptables log from kern.log syslog messages
How can I log iptables in Ubuntu just in /var/log/firewall with rsyslogd
WARN No appenders could be found for logger (org.apache.zookeeper.ZooKeeper)
Receive remote log on a Rsyslog server
rsyslog Filtering Based on IP Address with Wildcards
Why do some of my logs use Localhost and others Hostname - Different Servers