psad Syslog Configuration
The first thing to check if psad is not receiving any iptables log messages is to
make sure that your syslog config has the folling
The psad installer does its best to reconfigure your syslog daemon to write
all
kern.info messages (or higher) to the
/var/lib/psad/psadfifo named pipe for analysis. However, in
order to test whether your installation is working or not, you can do the following
(as root):
# iptables -I INPUT -i lo -p tcp --dport 3003 -j LOG --log-prefix "Inbound "
# telnet localhost 3003
Assuming that psad is running, this should generate in
/var/log/psad/fwdata
something similar to:
Jun 15 23:37:33 netfilter kernel: Inbound IN=lo OUT=
MAC=00:13:d3:38:b6:e4:00:01:5c:22:9b:c2:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60
TOS=0x10 PREC=0x00 TTL=64 ID=47312 DF PROTO=TCP SPT=40945 DPT=3003 WINDOW=32767
RES=0x00 SYN URGP=0
Also, executing
"psad --Status" should display (among other things)
something like:
Iptables prefix counters:
"Inbound": 1
If the
/var/log/psad/fwdata file is empty but you are getting
messages in the system log (for example when you type "dmesg" or in
/var/log/messages), then you should make sure that psad has the fifo open:
# lsof | grep psadfifo
syslogd 942 root 20u FIFO 3,5 544097 /var/lib/psad/psadfifo
kmsgsd 25457 root 0u FIFO 3,5 544097 /var/lib/psad/psadfifo
The main requirement is that Netfilter logs are getting logged via kern.info
(or at a higher priority such as "warn") by syslog. The default for the
Netfilter LOG target is log Netfilter messages at the "warn" priority, but
this can be changed with the --log-level option. For example, to have
Netfilter generate logs at the "info" priority in the INPUT chain, the
following command could be used:
# iptables -A INPUT -j LOG --log-level info
This may help cut down on Netfilter logs being sent to the console if your
/etc/syslog.conf instructs syslog to log kernel messages at a "warn" level or
higher to the console device.
