suggestion: blocked port logging to other than syslog

[aww+]

This is really big on my wishlist because it makes syslog monitoring very difficult on a busy system.

Right now to have Port Scan Tracking enabled, you must allow dropped connection logging which can only go to the syslog.

There is no option to log to any other file to reduce syslog clutter and retain port scan monitoring.

Is it just a system limitation that the firewall cannot log anywhere other than syslog?

Or is this possible to have logged elsewhere with monitoring?

Perhaps designating one of the "custom_log" settings?

Thank you as always for considering. CSF really is a brilliant program, keep up the great work.

[ForumAdmin]

That isn't possible in csf, unfortunately, as the iptables logs are handled by the kernel. The only way to redirect them would be to change the syslog/rsyslog configuration on the server to have kernel messages redirected to a different file and then configure lfd to scan that file instead.

[aww+]

Hmm, okay. Sorry to hear that but thanks for the detailed reply.

How does DROP_NOLOG work then, if it is done by the kernel?

Are those ports perhaps blocked in a different way that the kernel doesn't report them?

[ForumAdmin]

You configure iptables to perform logging, but that logging is done itself by the kernel and it is syslog/rsyslog that determines where those messages are logged to (console/file/etc). So, you can turn off the logging if you want to (DROP_NOLOG) but then things like Port Scan Tracking will no longer function and blocks won't appear in the logs.