The Filter

filter f_iptables { facility(kern) and match("IN=") and match("OUT=");

A filter in syslog-ng is the same as the first field in the syslog.conf file but has the capability to be much more granular. In the example shown in Listing 7-5, you are defining a filter named f_iptables. This filter filters out messages that have the logging facility of KERN (kernel) and uses a regular expression comparison to match a message if it contains the words IN or OUT. The regular expression capabilities of syslog-ng enable you to eliminate or redirect logging messages based on examining their contents.

I £ We talk about firewalls and iptables in detail in Chapter 24. For now, you can tell iptables to log messages about a TCP/IP packet with a message prefix. For example, you can say that if a message indicates that a packet has been denied into your machine/network, then the message is prefixed with the word IN. The same is true for any messages that have been denied OUT of your network. In this case, you could tell syslog-ng to log these facts into a separate file for your perusal at a convenient time.

Was this article helpful?

0 0

Post a comment