How to stop logging ICMP_IN, UDP_IN, UDP_OUT blocked messages in kern.log?

Post Reply
ktp
Junior Member
Posts: 65
Joined: 12 Jun 2008, 06:53

How to stop logging ICMP_IN, UDP_IN, UDP_OUT blocked messages in kern.log?

Post by ktp »

Hello,

My server is running under Debian 12 with rsyslog. In kernel.log, there are lot of messages:

"Firewall: *ICMP_IN Blocked*"
"Firewall: *UDP_IN Blocked*"
"Firewall: *UDP_OUT Blocked*

I already correctly set DROP_NOLOG directive so no log of TCP_IN nor TCP_OUT.
How can also block the logging of the above messages?

Thank you in advance.
Last edited by ktp on 23 Aug 2023, 12:30, edited 1 time in total.
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: How to stop logging ICMP_IN, UDP_IN, UDP_OUT blocked messages in kernel.log?

Post by Sergio »

Have you tried to add them to /etc/csf/csf.logignore

Sergio
ktp
Junior Member
Posts: 65
Joined: 12 Jun 2008, 06:53

Re: How to stop logging ICMP_IN, UDP_IN, UDP_OUT blocked messages in kernel.log?

Post by ktp »

@Sergio

Thank you for let me discover the file /etc/csf/csf.logignore.
This file mentions:

# The following is a list of regular expressions for the LOGSCANNER feature.
# If a log line matches it will be ignored, otherwise it will be reported

and it includes already as first regular expression:
^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ kernel:\s(\[[^\]]+\]\s)?Firewall:

that matches exactly the "Firewall: *ICMP_IN Blocked*" lines in kern.log.

It looks like that with this file, csf ignores the kernel Firewall logged lines. But my need is that csf
does not log the "Firewall: *ICMP_IN Blocked*" in kern.log! All I would like is that csf drops logging these lines,
thing that should be followed with DROP_NOLOG directive.
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: How to stop logging ICMP_IN, UDP_IN, UDP_OUT blocked messages in kern.log?

Post by Sergio »

@ktp,
you wrote:
How can also block the logging of the above messages?
Well, that is exactly what you asked for:
# If a log line matches it will be ignored, otherwise it will be reported
ktp
Junior Member
Posts: 65
Joined: 12 Jun 2008, 06:53

Re: How to stop logging ICMP_IN, UDP_IN, UDP_OUT blocked messages in kern.log?

Post by ktp »

@Sergio

># If a log line matches it will be ignored, otherwise it will be reported
This means for me the log line is already appearing, but it will be ignored for processing (logscanner).
It does not mean the the log line will not be logged due to matching with regular expression. Because the first regular expression
in the file that matches the log line is already present, without any effect !
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: How to stop logging ICMP_IN, UDP_IN, UDP_OUT blocked messages in kern.log?

Post by Sergio »

ok, for me is that this will be no logged and not reported to you, that is what you asked for on your first message:
"How can also block the logging of the above messages?"

My fault if I miss understood your request, sorry.
Post Reply