[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Ipchains logging
- Subject: Re: [cobalt-users] Ipchains logging
- From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
- Date: Sun Feb 2 08:02:01 2003
- Organization: Befriend Internet Services LLC
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
"Maurice de Laat" <muisnetw@xxxxxxxxx> wrote:
> I've installed ipchains and would like to log some rules action.
> This log is written to /var/log/kernel
> As I understand, this is a security issue because it would be possible
that
> /var is getting full, and root can no longer log in.
That is an issue. Here are a few things you may want to consider. Create a
fairly large file in /var owned by admin which can be removed via FTP should
the partition become full. Turn off syslogd and klogd, edit
/etc/syslog.conf and change the logging location of kernel messages to a
directory on /home, perhaps /home/log/messages, then turn syslogd and klogd
back on. Setup a cron job to check the free space on /var and if it's full
or close to full take action. The action could be as simply as gzipping log
files to /home then zeroing them out in /var or it could be more advanced.
> I've searched, but couldn't find anything about how to change to location
> (or name) of the ipchains logfile. Is it possible?
It's not an IPCHAINS configuration option. If there's a way to change the
facility from kernel to something else so you can log it to a separate log
via syslog.conf I'm not aware of it, but would certainly be interested if
there is.
--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/