[Logcheck-users] filtering out iptables messages
Milan Andric
mandric at gmail.com
Fri Aug 7 16:15:06 UTC 2009
Hello I am trying to filter out my firewall denies because there are
so many that it's too noisy.
They look like:
Aug 7 10:35:17 slice kernel: iptables denied: IN=eth0 OUT=
MAC=40:40:43:cf:91:a7:00:18:8b:f9:6e:70:08:00 SRC=<ip address> DST=<my
ip address> LEN=40 TOS=0x00 PREC=0x00 TTL=100 ID=30789 PROTO=TCP
SPT=6000 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
My attempts to filter them have failed and I still receive them in the
hourly email. Adding the regex to
/etc/logcheck/ignore.d.server/kernel does not work. Yet when I use
this regex to egrep the logs, it matches.
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: iptables denied:
IN=[[:alpha:]]+[0-9]+ OUT= MAC=[[:alnum:]:]+ SRC=[.0-9]{7,15}
DST=[.0-9]{7,15} LEN=[0-9]+ TOS=0x[0-9]+ PREC=0x[0-9]+ TTL=[0-9]+
ID=[0-9]+ .*$
This is running on debian etch and in logcheck.conf I have set
REPORTLEVEL="server".
How can I get these iptables messages filtered out?
Thanks,
Milan
More information about the Logcheck-users
mailing list