i have a problem with the output of dmesg, namely that it is full of logged packets like:

IPT INPUT packet died: IN=ppp0 OUT= MAC= SRC=199.111.227.177 DST=86.79.158.15 LEN=48 TOS=0x00 PREC=0
x00 TTL=115 ID=54145 DF PROTO=TCP SPT=4076 DPT=2751 WINDOW=16384 RES=0x00 SYN URGP=0

and i can't see the boot messages. what gives?

thx for reading,
y-p

That's your iptables log... it will overlap your boot logs after some time of filtering because it uses the same log level by default (warn i think). I believe you can make iptables log to some other file by tinkering with its settings.

I'll take a look at it later because now I'm stuck in Windowsland (at work )... I too am planning to change my iptables log level... and hopefully I can help you out a bit

Hmm... after searching and searching it seems impossible to log iptables somewhere else, therefore I'm going to suggest a workaround for you instead.

Add the following line to your /etc/rc.d/rc.local
.

So when you want to view your bootup events, just type cat /var/log/bootlog.

I know this is oversimplistic, therefore I'm really open to suggestions from those who are more knowledgable in this area

Well, i'm not more knowledgable, and i might be totally wrong here BUT i beleive if you mess around with /etc/syslog.conf you could make the firewall log level something higher, and thus make it log to /var/log/secure for example. Note that i'm just guessing here from what i remember reading in "Running Linux". Unfortunately i gave that book over the summer to a friend, who doesn't want to give it back, thus i can't check how exactly to do this, if it all possible...
Reckon i'll have to buy myself the new edition anyway...
Well HTH a little
-NSKL

about that cp command you suggested i insert in rc.local: what is that doing? i know that there is output to /var/log/messages generated on boot, but the messages aren't the same as the ones that would be in dmesg (they're not as verbose and they don't list the device assignments for things like ide-scsi emulation).

i could've sworn that i read a post about this before, but i couldn't think of what to search for to bring it up...

i think you're right NSKL, as the log-level determines where the stuff gets logged. i think i'll just look at the syslogd manpage for a while and see what i can figure out.

btw, what does HTH mean?

OK, maybe a little more explanation is needed on my part. Basically I explored the /etc/rc.d/rc.* files a bit and saw that on bootup rc.local is the last file that will be ran by init.

And since dmesg is basically similar to running cat /var/log/messages (at least I think it is, please correct me if I'm wrong), I thought why not copy the startup log before it gets crowded by the firewall logs.

I read that in the man pages of syslog.conf as well, but the problem with that man page (in fact almost all of Linux's man), is that it is very stingy on explanations. Googling didn't help much as well. However it did say that the secure log is deprecated.

I would have preferred to log the iptables output to some other file, but I too, am stumped on how to this the right way

Do your firewall rules have a LOG target? They must since LOG "...[turns] on kernel logging of matching packets." Two options you might consider:

1. Remove the iptables rules that log messages.

2. Use the --log-prefix option in the iptables rules that log messages. If you prefix all your iptables messages with "foo" then you can filter those out of dmesg with "dmesg | grep -v foo". Just make sure you use something unique like "iptables_msg: " or something.

eric,

But the problem is that over time the iptables log entries will completely replace the kernel messages. So even if you grep all iptables log entries away, the bootup entries won't be returned.

In my case I want the iptables log... however, if possible I want it to log to a different file rather than sharing it with /var/log/messages. Do you know how to do this?

Again, remebering what i read in "Running Linux" you could (i think) do the following:
Change Ip tables log level in syslog.conf to something else, something not used, and exlude it from other logs (look at slack 9's syslog.conf and you'll see how some servises such as mail and cron are excluded from all logs and logged to their special files, only for them.
So make ip tables log to a special file as well. Something like Ip-tables.* /var/log/firewall. The problem here is that ip-tables is not a service like mail or cron, so i'm not really sure if you can do this. If i only had my book with me..... As soon as i get it back i'll read the syslog part again and i'm sure we'll find a solution...
HTH = Hope that Helps
-NSKL

NSKL, i think i've found confirmation and further articulation of what you suggested in this thread:

http://www.linuxquestions.org/questi...ht=kernel+size

the relevant portion on the syslog.conf format is about 50% down the first part of the post (i think that percentage is invariant...). it also has some nice stuff i used to strengthen my firewall.

i'll try this later today and post back with results, unless somebody else does first.

thx,
y-p