ConfigServer Community Forum

Hello,

My server is running under Debian 12 with rsyslog. In kernel.log, there are lot of messages:

"Firewall: *ICMP_IN Blocked*"
"Firewall: *UDP_IN Blocked*"
"Firewall: *UDP_OUT Blocked*

I already correctly set DROP_NOLOG directive so no log of TCP_IN nor TCP_OUT.
How can also block the logging of the above messages?

Thank you in advance.

Have you tried to add them to /etc/csf/csf.logignore

Sergio

@Sergio

Thank you for let me discover the file /etc/csf/csf.logignore.
This file mentions:

# The following is a list of regular expressions for the LOGSCANNER feature.
# If a log line matches it will be ignored, otherwise it will be reported

and it includes already as first regular expression:
^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ kernel:\s(\[[^\]]+\]\s)?Firewall:

that matches exactly the "Firewall: *ICMP_IN Blocked*" lines in kern.log.

It looks like that with this file, csf ignores the kernel Firewall logged lines. But my need is that csf
does not log the "Firewall: *ICMP_IN Blocked*" in kern.log! All I would like is that csf drops logging these lines,
thing that should be followed with DROP_NOLOG directive.

@ktp,
you wrote:

How can also block the logging of the above messages?

Well, that is exactly what you asked for:
# If a log line matches it will be ignored, otherwise it will be reported

@Sergio

># If a log line matches it will be ignored, otherwise it will be reported
This means for me the log line is already appearing, but it will be ignored for processing (logscanner).
It does not mean the the log line will not be logged due to matching with regular expression. Because the first regular expression
in the file that matches the log line is already present, without any effect !

ok, for me is that this will be no logged and not reported to you, that is what you asked for on your first message:
"How can also block the logging of the above messages?"

My fault if I miss understood your request, sorry.