Page 1 of 1

CSF doubles logging in /var/log/messages on Centos 7

Posted: 05 Oct 2014, 11:26
by hanzzon
Hi, on my RHEL v6.5 server CSF logs only one line per firewall hit in the systems /var/log/messages logfile.

But for some reason on a new Centos 7 server I'm setting up all logs are reproduced two times.
One time with a timestamp before the "Firewall: " part, the other directly as-is like on my Centos 6.5 system:

Code: Select all

Sep 23 13:57:19 localhost kernel: [176459.802894] Firewall: *UDP_IN Blocked* IN=eth1 OUT= MAC=0c:c4:7a:30:39:xx:00:08:e3:ff:fd:90:08:00 SRC=66.240.236.119 DST=184.XXX.XXX.XXX LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=39572 PROTO=UDP SPT=40000 DPT=44818 LEN=32
Sep 23 13:57:19 localhost kernel: Firewall: *UDP_IN Blocked* IN=eth1 OUT= MAC=0c:c4:7a:30:39:xx:00:08:e3:ff:fd:90:08:00 SRC=66.240.236.119 DST=184.XXX.XXX.XXX LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=39572 PROTO=UDP SPT=40000 DPT=44818 LEN=32
Note: I have disabled & uninstalled the systems "firewalld" daemon and am running only with iptables & I have the "net-tools" package installed.

Re: CSF doubles logging in /var/log/messages on Centos 7

Posted: 05 Oct 2014, 15:25
by ForumAdmin
That is down to your logging daemon configuration (probably rsyslogd or systemd), not csf as it is the kernel that does iptables logging.

Re: CSF doubles logging in /var/log/messages on Centos 7

Posted: 12 Oct 2014, 15:31
by hanzzon
I did a workaround for this now, on my old RHEL v6.5 server I was already moving the iptables logs into a separate file to not clutter /var/log/messages
I simply modified it to send the logs to a separate logfile like before, but also to discard the logs containing the timestamp:

Code: Select all

# Log CSF iptables to a separate file & discard it from all subsequent rules:
:msg, startswith, "Firewall: " -/var/log/iptables
& stop

# Discard CSF iptables logs containing a datestamp, therefore not matched above:
:msg, contains, "Firewall: " stop
This goes into a new file called: /etc/rsyslog.d/iptables.conf
And then you need to create the logfile: "touch /var/log/iptables"
Finally rsyslog needs to be restarted: "systemctl restart rsyslog"

It's also useful to add rotation of the logfiles, just adding a new line into /etc/logrotate.d/syslog for the new logfile will be enough to get very basic rotation working.

And don't forget to set the new logfile location in /etc/csf/csf.conf:
IPTABLES_LOG = "/var/log/iptables"

Unlike version 6.5 of RHEL / Centos, version 7 was already set to only print console messages with a priority of 4 or higher, so there was no need to modify kernel.printk to get rid of the firewall messages otherwise printed on the console.

Re: CSF doubles logging in /var/log/messages on Centos 7

Posted: 29 Dec 2014, 09:52
by hanzzon
Quite soon after posting the above I figured out that the reason for the double logging was that I had enabled imklog in rsyslog.conf so I removed that. (And with it the last two lines in the code snippet above).
But I could not for the life of me remember why I had enabled it, but today I ran the csf "server check" mail and the eureka moment came:

Check for kernel logger
rsyslogd appears to be running, but klog may not be loaded which logs kernel firewall messages to rsyslog. You should modify /etc/rsyslogd to load the klog module with:
$ModLoad imklog
Then restart rsyslog