With a good understanding of the requirements imposed by psad on the iptables policy configuration, we'll now turn to the mechanism psad uses to acquire iptables log messages. When a packet is matched by a LOG rule within iptables, the kernel reports this fact via klogd, the kernel logging daemon. The resulting kernel log message is then normally passed on to syslog for eventual reporting to a file, to a named pipe, or even to an entirely separate system via the Berkeley sockets interface. This all depends on the set of features offered by the syslog daemon and how its configuration is set up.
The syslogd and syslog-ng daemons are compatible with psad, and psad also has some limited support for metalog. Both syslogd and syslog-ng can write log messages to named pipes; psad takes advantage of this by configuring all kern.info log messages to be written to the /var/lib/psad/psadfifo named pipe, where they are then picked up by kmsgsd. When kmsgsd receives a syslog message via the psadfifo, it checks to see if the message contains two substrings (IN= and OUT=) to ensure that the syslog message is generated by iptables. If the message passes this test, kmsgsd appends it to the file /var/ log/psad/fwdata so that it will be seen by psad. After all, many kern.info syslog messages could be generated by portions of the kernel that have nothing to do with iptables; kmsgsd ensures that only iptables messages are subsequently analyzed by psad.
NOTE The IN= and OUT= strings denote the input and output interfaces associated with a packet that has been logged via the iptables LOG target. These strings are always included in iptables log messages.
If psad is running on a system with syslogd installed, the following line is appended to the /etc/syslog.conf configuration file at install time; it configures syslogd to write kern.info messages to /var/lib/psad/psadfifo:
kern.info |/var/lib/psad/psadfifo syslog-ng
If, on the other hand, syslog-ng is the syslog daemon of choice on the local system, then the following lines are appended to the /etc/syslog-ng/syslog-ng.conf configuration file at install time. (A check is performed to ensure that the logging source psadsrc is defined earlier in the syslog-ng.conf file and that it points to /proc/kmsg.)
source psadsrc i unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); }; filter f_psad i facility(kern) and match("IN=") and match("OUT="); }; destination psadpipe i pipe("/var/lib/psad/psadfifo"); }; log i source(psadsrc); filter(f_psad); destination(psadpipe); };
Was this article helpful?