https://community.hpe.com/t5/operating-system-linux/kernel-firewall-or-syslog-corruption/m-p/5028063#M48222 Hi,<BR /><BR />We have our RHEL firewalls logging out put to a separate firewall log. KLOGD has been set to 4 and syslog.conf etc etc. All mostly works except more occasionally the logwatch script for firewalls plays up - upon analysis we find corrupted firewall logs. See Below:<BR /><BR />Feb 11 11:00:08 xserver kernel: #FW# IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:11:33:18:08:aa:18:00 src=192.1192.168.32.255 LEN=109 TOS=0x00 PREC=0x00 TTL=128 ID=59197 PROTO=UDP SPT=1338 DPT=42520 LEN=89<BR />Feb 11 11:00:08 xserver kernel: #FW# IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:11:33:18:08:aa:18:00 src=192.168.35.127 DST=192.168.32.255 LEN=109 TOS=0x00 PREC=0x00 TTL=128 ID=22277 PROTO=UDP SPT=3076 DPT=42520 LEN=89<BR /><BR />As you can see the first line has lost a lot of data - the source log entry is merged with the destination and would seem to be overwritten by possibly two entries.<BR /><BR />Our iptables config has the following log option:<BR /><BR />-A RH-Firewall-1-INPUT -j LOG --log-level 5 --log-prefix " #FW# "<BR /><BR />Thus anything other than what we allow through is logged. Is this a problem - does syslog not cope with this level of logging? Is there a bug in the kernel or syslog?<BR /><BR />Regards,<BR /><BR />Robert. Mon, 12 Feb 2007 18:56:31 GMT Robert Walker_8 2007-02-12T18:56:31Z https://community.hpe.com/t5/operating-system-linux/kernel-firewall-or-syslog-corruption/m-p/5028063#M48222 Hi,<BR /><BR />We have our RHEL firewalls logging out put to a separate firewall log. KLOGD has been set to 4 and syslog.conf etc etc. All mostly works except more occasionally the logwatch script for firewalls plays up - upon analysis we find corrupted firewall logs. See Below:<BR /><BR />Feb 11 11:00:08 xserver kernel: #FW# IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:11:33:18:08:aa:18:00 src=192.1192.168.32.255 LEN=109 TOS=0x00 PREC=0x00 TTL=128 ID=59197 PROTO=UDP SPT=1338 DPT=42520 LEN=89<BR />Feb 11 11:00:08 xserver kernel: #FW# IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:11:33:18:08:aa:18:00 src=192.168.35.127 DST=192.168.32.255 LEN=109 TOS=0x00 PREC=0x00 TTL=128 ID=22277 PROTO=UDP SPT=3076 DPT=42520 LEN=89<BR /><BR />As you can see the first line has lost a lot of data - the source log entry is merged with the destination and would seem to be overwritten by possibly two entries.<BR /><BR />Our iptables config has the following log option:<BR /><BR />-A RH-Firewall-1-INPUT -j LOG --log-level 5 --log-prefix " #FW# "<BR /><BR />Thus anything other than what we allow through is logged. Is this a problem - does syslog not cope with this level of logging? Is there a bug in the kernel or syslog?<BR /><BR />Regards,<BR /><BR />Robert. Mon, 12 Feb 2007 18:56:31 GMT https://community.hpe.com/t5/operating-system-linux/kernel-firewall-or-syslog-corruption/m-p/5028063#M48222 Robert Walker_8 2007-02-12T18:56:31Z https://community.hpe.com/t5/operating-system-linux/kernel-firewall-or-syslog-corruption/m-p/5028064#M48223 Shalom,<BR /><BR />Syslog can handle any level of logging that iptables can be set to.<BR /><BR />If log files are getting hammered there is probably a destination configuration issue in the syslog conf file.<BR /><BR />Check for inconsistencies and restart syslog<BR /><BR />SEP Tue, 13 Feb 2007 06:57:30 GMT https://community.hpe.com/t5/operating-system-linux/kernel-firewall-or-syslog-corruption/m-p/5028064#M48223 Steven E. Protter 2007-02-13T06:57:30Z https://community.hpe.com/t5/operating-system-linux/kernel-firewall-or-syslog-corruption/m-p/5028065#M48224 Gday SEP,<BR /><BR />I thought that may be the case however the first output at Feb 11 11:00:08 seems to contain two firewall syslogs mashed together as the src=field is corrupted.<BR /><BR />This is our syslog config:<BR /><BR />kern.5 /var/log/firewall<BR />kern.*;kern.!5 /var/log/kernel<BR /><BR /># Log anything (except mail) of level info or higher.<BR /># Don't log private authentication messages!<BR />*.info;mail.none;authpriv.none;cron.none;kern.none /var/log/messages<BR /><BR /># The authpriv file has restricted access.<BR />authpriv.* /var/log/secure<BR /><BR /># Log all the mail messages in one place.<BR />mail.* -/var/log/maillog<BR /><BR /><BR /># Log cron stuff<BR />cron.* /var/log/cron<BR /><BR /># Everybody gets emergency messages<BR />*.emerg *<BR /><BR /># Save news errors of level crit and higher in a special file.<BR />uucp,news.crit /var/log/spooler<BR /><BR /># Save boot messages also to boot.log<BR />local7.* /var/log/boot.log<BR /><BR />Regards,<BR /><BR />Robert. Tue, 13 Feb 2007 18:23:15 GMT https://community.hpe.com/t5/operating-system-linux/kernel-firewall-or-syslog-corruption/m-p/5028065#M48224 Robert Walker_8 2007-02-13T18:23:15Z https://community.hpe.com/t5/operating-system-linux/kernel-firewall-or-syslog-corruption/m-p/5028066#M48225 Gday,<BR /><BR />This call has gone to Redhat. They however think its bursty network traffic and suspect the kernel ring buffer is being overwritten.<BR /><BR />I am testing a couple of systems with log_buf_len=1024k (although they suggested 512K).<BR /><BR />Robert. Tue, 12 Jun 2007 18:50:02 GMT https://community.hpe.com/t5/operating-system-linux/kernel-firewall-or-syslog-corruption/m-p/5028066#M48225 Robert Walker_8 2007-06-12T18:50:02Z https://community.hpe.com/t5/operating-system-linux/kernel-firewall-or-syslog-corruption/m-p/5028067#M48226 No new takers - well have given up on this up the kernel loop log buffer is about it. Tue, 03 Mar 2009 10:11:33 GMT https://community.hpe.com/t5/operating-system-linux/kernel-firewall-or-syslog-corruption/m-p/5028067#M48226 Robert Walker_8 2009-03-03T10:11:33Z