create own logfile for blocking lines

[wikrie]

Hi tlhackque,

as far as I can see the current logging goes to:

root@server:~# colortail -f /var/log/messages
==> /var/log/messages <==
Jan 22 11:29:06 server kernel: [3151900.967133] [Blocked CC]: IN=venet0 OUT= MAC= SRC=58.140.209.21 DST=0.0.0.0 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=23949 DF PROTO=TCP SPT=37383 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0

would it be possible to setup a own Logfile into var/log

e.g.
/var/log/blocking.log

so it would be needed to create a new entry for the config file to setup this logging.

I try to modify the Script by changing the $Log

my $LOG = '/var/log/messages*'; # Note: This is a wildcard to handle log rotation. .gz files will decompressed on the fly and processed.

my $LOG = '/var/log/blocking*';

but it still write the Blockings into messages, after restarting the script.

[tlhackque]

You don't need to change BlockCountries to write a new logfile. But you do need to change $LOG for the analysis to work if you change the file name or location.

The actual log entry is created by the kernel (netfilter).

To get output sent to another logfile, you need to configure the syslog daemon on your system.

There are a couple of them, depending on your distribution (and your choices). The most basic is syslogd; another popular one is rsyslogd.

rsyslogd will give you more choices, you can filter on the log prefix [Blocked CC]: I recommend it.

Edit /etc/syslog.conf, /etc/rsyslogd.conf, or /etc/rsyslog.d/iptables.conf -- see man syslog.conf or rsyslog.conf

You'll also need to update logrotate - or whatever you use to manage your log files.

Finally, you do need to update $LOG in BlockCountries so that it can read it when you ask for analysis. The '*' at the end of the filename is important. It allows BlockCountries to look at log files that have been rotated.

There's a pretty good general description of how to do this (not BlockCountries -specific) at https://blog.shadypixel.com/log-iptables-messages-to-a-separate-file-with-rsyslog/

Google will turn up other tutorials and other syslogd alternatives.

The latest release of BlockCountries allows you to set $LOGLEVEL to a non-default priority level, which may help with syslog filtering. However, because the kernel generates so many different message types and every priority is used by someone, you're better off using rsyslogd to filter.

The values for $LOGLEVEL are defined by syslog; usually 0-6 (or as names, EMERGENCY, ALERT, CRITICAL,ERROR,WARNING,NOTICE,INFORMATIONAL, and DEBUG)

As a practical matter, only NOTICE or INFORMATIONAL are useful.

[tlhackque]

Since I haven't heard from you in a week, I assume you are satisfied. I'm closing this issue.

In the future, please indicate whether issues that you raised are addressed satisfactorily and close your issues when they are.

Thanks.