iptables not logging via syslog after installing grsecurity

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

iptables not logging via syslog after installing grsecurity

Postby kiliber » Tue Jun 13, 2006 9:35 am

Hi all,

I have a problem with grsecurity 2.1.8 (kernel 2.6.14) and iptables version 1.2.11: since installing the grsecurity patch and gradm, iptables does not log to syslog anymore. Console logging still works and the messages are present in the kernel ring buffer (dmesg), but the kernel facility in syslog does not receive the messages from iptables specified with --LOG target anymore, no matter what priority I specify.

Has anyone ever experienced something similar before? Where should I go looking? I tweaked with kernel.printk, syslog.conf and the iptables LOG statement, but I'm quite stuck right now... Thanks for any hint!

Greetings,
Kilian
kiliber
 
Posts: 2
Joined: Tue Jun 13, 2006 9:15 am

Postby Kp » Tue Jun 13, 2006 9:48 pm

I haven't seen this problem, but based on your description, syslog is unable to retrieve messages from the kernel. If you stop and restart syslog, do you see anything in dmesg from grsec about blocking syslog? Do you get any other kernel messages in your syslog output (for instance, grsec's alerts about policy violations)? What is your policy for the syslog daemon? Did you write it yourself or did you use the learning mode to create it? If you used learning mode, how long did you let it learn before you created the policy?
Kp
 
Posts: 46
Joined: Tue Sep 20, 2005 12:56 am

Postby spender » Tue Jun 13, 2006 10:10 pm

Did you make sure that the log module for iptables is compiled into your new kernel?

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby kiliber » Wed Jun 14, 2006 4:31 am

If I restart syslog, I don't see anything about grsec blocking syslog. And I do not get any other kernel messages in my syslog output.

About the policy: I used the learning mode as described in the Quickstart Guide, doing:

Code: Select all
$ gradm -F -L /etc/grsec/learning.log


and after one day

Code: Select all
$ gradm -F -L /etc/grsec/learning.log -O /etc/grsec/acl


now: do I need to copy this file /etc/grsec/acl over /etc/grsec/policy? I am not very clear about this..There exists a /etc/grsec/policy, but I did not create this file.

And yes, the LOG target is compiled into the kernel.

Thanks a lot for your help!

Greetings,
Kilian
kiliber
 
Posts: 2
Joined: Tue Jun 13, 2006 9:15 am

Postby spender » Wed Jun 14, 2006 7:51 pm

Yes, you need to replace the /etc/grsec/policy file.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity support

cron