1. Syslogd needs to be started with the '-n' flag to suppress reverse DNS lookups every time a message comes in. Apart from being a stupid waste of time, these checks fail unless the RDNS lookup succeeds, and exactly matches a hostname in syslog.conf.
2. Syslogd needs to be started with '-a 192.168.1.42/32' (to accept messages from a single sender) or '-a 192.168.1.0/24' (to accept from a whole subnet). Or you can give the -a flag several times. The easiest way to set up the flags is to give them in /etc/rc.conf , for example:
syslogd_flags="-n -a 192.168.99.7/32:* -a 1.2.3.4/28:*" # Log from Firewall and DMZ
3. Your /etc/syslog.conf file needs to include this magic syntax, right up the top before all your normal rules:-
+192.168.99.7
*.* /var/log/firewall.log
+*
+@
4. The log file needs to exist before syslogd is restarted, and it needs to have the right permissions. So you'll need something like:-
touch /var/log/firewall.log
chown root /var/log/firewall.log
chmod 0600 /var/log/firewall.log
Hope this helps someone...
Posts
No comments:
Post a Comment
Spammers: please stop wasting my time. All comments are moderated before publication.