System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Kernel Firewall or Syslog corruption

Robert Walker_8
Valued Contributor

Kernel Firewall or Syslog corruption

Hi,

We have our RHEL firewalls logging out put to a separate firewall log. KLOGD has been set to 4 and syslog.conf etc etc. All mostly works except more occasionally the logwatch script for firewalls plays up - upon analysis we find corrupted firewall logs. See Below:

Feb 11 11:00:08 xserver kernel: #FW# IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:11:33:18:08:aa:18:00 src=192.1192.168.32.255 LEN=109 TOS=0x00 PREC=0x00 TTL=128 ID=59197 PROTO=UDP SPT=1338 DPT=42520 LEN=89
Feb 11 11:00:08 xserver kernel: #FW# IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:11:33:18:08:aa:18:00 src=192.168.35.127 DST=192.168.32.255 LEN=109 TOS=0x00 PREC=0x00 TTL=128 ID=22277 PROTO=UDP SPT=3076 DPT=42520 LEN=89

As you can see the first line has lost a lot of data - the source log entry is merged with the destination and would seem to be overwritten by possibly two entries.

Our iptables config has the following log option:

-A RH-Firewall-1-INPUT -j LOG --log-level 5 --log-prefix " #FW# "

Thus anything other than what we allow through is logged. Is this a problem - does syslog not cope with this level of logging? Is there a bug in the kernel or syslog?

Regards,

Robert.
4 REPLIES
Steven E. Protter
Exalted Contributor

Re: Kernel Firewall or Syslog corruption

Shalom,

Syslog can handle any level of logging that iptables can be set to.

If log files are getting hammered there is probably a destination configuration issue in the syslog conf file.

Check for inconsistencies and restart syslog

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Robert Walker_8
Valued Contributor

Re: Kernel Firewall or Syslog corruption

Gday SEP,

I thought that may be the case however the first output at Feb 11 11:00:08 seems to contain two firewall syslogs mashed together as the src=field is corrupted.

This is our syslog config:

kern.5 /var/log/firewall
kern.*;kern.!5 /var/log/kernel

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;kern.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog


# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log

Regards,

Robert.
Robert Walker_8
Valued Contributor

Re: Kernel Firewall or Syslog corruption

Gday,

This call has gone to Redhat. They however think its bursty network traffic and suspect the kernel ring buffer is being overwritten.

I am testing a couple of systems with log_buf_len=1024k (although they suggested 512K).

Robert.
Robert Walker_8
Valued Contributor

Re: Kernel Firewall or Syslog corruption

No new takers - well have given up on this up the kernel loop log buffer is about it.