Hello I am trying to filter out my firewall denies because there are
so many that it's too noisy.
They look like:
Aug 7 10:35:17 slice kernel: iptables denied: IN=eth0
OUTMAC=40:40:43:cf:91:a7:00:18:8b:f9:6e:70:08:00 SRC=<ip address>
DST=<my
ip address> LEN=40 TOS=0x00 PREC=0x00 TTL=100 ID=30789 PROTO=TCP
SPT=6000 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
My attempts to filter them have failed and I still receive them in the
hourly email. Adding the regex to
/etc/logcheck/ignore.d.server/kernel does not work. Yet when I use
this regex to egrep the logs, it matches.
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: iptables denied:
IN=[[:alpha:]]+[0-9]+ OUT= MAC=[[:alnum:]:]+ SRC=[.0-9]{7,15}
DST=[.0-9]{7,15} LEN=[0-9]+ TOS=0x[0-9]+ PREC=0x[0-9]+ TTL=[0-9]+
ID=[0-9]+ .*$
This is running on debian etch and in logcheck.conf I have set
REPORTLEVEL="server".
How can I get these iptables messages filtered out?
Thanks,
Milan
Milan Andric <mandric at gmail.com> wrote:> Aug 7 10:35:17 slice kernel: iptables denied: IN=eth0 OUTI'm guessing these are being raised as security events, due to the presence of "denied".> hourly email. Adding the regex to > /etc/logcheck/ignore.d.server/kernel does not work. Yet when I useYou'll have to add that rule to violations.ignore.d/local-kernel for it to take effect. (You might want to leave a copy in ignore.d.server, since logcheck-database 1.3.x will no longer treat these as security events.) P.S.: Am I right in assuming that the only reason these show up in your logs is because you're using the "-j LOG" option? -- The only "intuitive" interface is the nipple. After that, it's all learned. -- Bruce Ediger, bediger at teal.csn.org, on X interfaces