Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Fetching contributors…

Cannot retrieve contributors at this time

66 lines (46 sloc) 2.675 kb
This information is documented in the psad.conf file as well:
By default, psad acquires iptables log data from the /var/log/messages
file which the local syslog daemon (usually) writes iptables log messages
to. If the ENABLE_SYSLOG_FILE variable is set to "N", then psad
reconfigures syslog to write iptables log data to the
/var/lib/psad/psadfifo fifo file where the messages are picked up by kmsgsd
written to the file /var/log/psad/fwdata for analysis by psad. On some
systems, having syslog communicate log data to kmsgsd can be problematic
(syslog configs and external factors such as Apparmor and SELinux can play
a role here), so leaving the ENABLE_SYSLOG_FILE variable set to "Y" is
usually recommended.
*** Pre psad-2.1.3 information below ***
TESTING YOUR INSTALLATION:
The psad installer does its best to reconfigure your syslog daemon to write
all kern.info messages (or higher) to the /var/lib/psad/psadfifo named pipe
for analysis. However, in order to test whether your installation is working
or not, you can do the following as root:
$ iptables -I INPUT -i lo -p tcp --dport 3003 -j LOG --log-prefix "Inbound "
$ telnet localhost 3003
Assuming that psad is running, this should generate in /var/log/psad/fwdata
something similar to:
Jun 15 23:37:33 <your_hostname> kernel: Inbound IN=lo OUT=
MAC=<mac_addresses> SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x10 PREC=0x00
TTL=64 ID=47312 DF PROTO=TCP SPT=40945 DPT=3003 WINDOW=32767 RES=0x00 SYN
URGP=0
Also, executing "psad --Status" should display (among other things) something
like:
Iptables prefix counters:
"Inbound": 1
If the /var/log/psad/fwdata file is empty but you are getting messages in the
system log (for example when you type "dmesg" or in /var/log/messages), then
you should make sure that psad has the fifo open:
$ lsof | grep psadfifo
You should get something along the lines of:
syslogd 942 root 20u FIFO 3,5 544097 /var/lib/psad/psadfifo
kmsgsd 25457 root 0u FIFO 3,5 544097 /var/lib/psad/psadfifo
The main requirement is that iptables logs are getting logged via kern.info
(or at a higher priority such as "warn") by syslog. The default for the
iptables LOG target is log iptables messages at the "warn" priority, but
this can be changed with the --log-level option. For example, to have
iptables generate logs at the "info" priority in the INPUT chain, the
following command could be used:
# iptables -A INPUT -j LOG --log-level info
This may help cut down on iptables logs being sent to the console if your
syslog.conf instructs syslog to log kernel messages at a "warn" level or
higher to the console device.
Jump to Line
Something went wrong with that request. Please try again.