Hello,
My server is running under Debian 12 with rsyslog. In kernel.log, there are lot of messages:
"Firewall: *ICMP_IN Blocked*"
"Firewall: *UDP_IN Blocked*"
"Firewall: *UDP_OUT Blocked*
I already correctly set DROP_NOLOG directive so no log of TCP_IN nor TCP_OUT.
How can also block the logging of the above messages?
Thank you in advance.
How to stop logging ICMP_IN, UDP_IN, UDP_OUT blocked messages in kern.log?
How to stop logging ICMP_IN, UDP_IN, UDP_OUT blocked messages in kern.log?
Last edited by ktp on 23 Aug 2023, 12:30, edited 1 time in total.
Re: How to stop logging ICMP_IN, UDP_IN, UDP_OUT blocked messages in kernel.log?
Have you tried to add them to /etc/csf/csf.logignore
Sergio
Sergio
Re: How to stop logging ICMP_IN, UDP_IN, UDP_OUT blocked messages in kernel.log?
@Sergio
Thank you for let me discover the file /etc/csf/csf.logignore.
This file mentions:
# The following is a list of regular expressions for the LOGSCANNER feature.
# If a log line matches it will be ignored, otherwise it will be reported
and it includes already as first regular expression:
^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ kernel:\s(\[[^\]]+\]\s)?Firewall:
that matches exactly the "Firewall: *ICMP_IN Blocked*" lines in kern.log.
It looks like that with this file, csf ignores the kernel Firewall logged lines. But my need is that csf
does not log the "Firewall: *ICMP_IN Blocked*" in kern.log! All I would like is that csf drops logging these lines,
thing that should be followed with DROP_NOLOG directive.
Thank you for let me discover the file /etc/csf/csf.logignore.
This file mentions:
# The following is a list of regular expressions for the LOGSCANNER feature.
# If a log line matches it will be ignored, otherwise it will be reported
and it includes already as first regular expression:
^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ kernel:\s(\[[^\]]+\]\s)?Firewall:
that matches exactly the "Firewall: *ICMP_IN Blocked*" lines in kern.log.
It looks like that with this file, csf ignores the kernel Firewall logged lines. But my need is that csf
does not log the "Firewall: *ICMP_IN Blocked*" in kern.log! All I would like is that csf drops logging these lines,
thing that should be followed with DROP_NOLOG directive.
Re: How to stop logging ICMP_IN, UDP_IN, UDP_OUT blocked messages in kern.log?
@ktp,
you wrote:
# If a log line matches it will be ignored, otherwise it will be reported
you wrote:
Well, that is exactly what you asked for:How can also block the logging of the above messages?
# If a log line matches it will be ignored, otherwise it will be reported
Re: How to stop logging ICMP_IN, UDP_IN, UDP_OUT blocked messages in kern.log?
@Sergio
># If a log line matches it will be ignored, otherwise it will be reported
This means for me the log line is already appearing, but it will be ignored for processing (logscanner).
It does not mean the the log line will not be logged due to matching with regular expression. Because the first regular expression
in the file that matches the log line is already present, without any effect !
># If a log line matches it will be ignored, otherwise it will be reported
This means for me the log line is already appearing, but it will be ignored for processing (logscanner).
It does not mean the the log line will not be logged due to matching with regular expression. Because the first regular expression
in the file that matches the log line is already present, without any effect !
Re: How to stop logging ICMP_IN, UDP_IN, UDP_OUT blocked messages in kern.log?
ok, for me is that this will be no logged and not reported to you, that is what you asked for on your first message:
"How can also block the logging of the above messages?"
My fault if I miss understood your request, sorry.
"How can also block the logging of the above messages?"
My fault if I miss understood your request, sorry.