# 0 emerg # # For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall # log messages are generated by NetFilter and are logged using facility # 'kern' and the level that you specifify. If you are unsure of the level # to choose, 6 (info) is a safe bet. You may specify levels by name or by # number. # # If you have built your kernel with ULOG target support, you may also # specify a log level of ULOG (must be all caps). Rather than log its # messages to syslogd, Shorewall will direct netfilter to log the messages # via the ULOG target which will send them to a process called 'ulogd'. # ulogd is available with most Linux distributions (although it probably isn't # installed by default). Ulogd is also available from # http://www.gnumonks.org/projects/ulogd and can be configured to log all # Shorewall message to their own log file ################################################################################ # # LOG FILE LOCATION # # This variable tells the /sbin/shorewall program where to look for Shorewall # log messages. If not set or set to an empty string (e.g., LOGFILE="") then # /var/log/messages is assumed. # # WARNING: The LOGFILE variable simply tells the 'shorewall' program where to # look for Shorewall messages.It does NOT control the destination for # these messages. For information about how to do that, see # # http://www.shorewall.net/shorewall_logging.html LOGFILE=/var/log/messages # # LOG FORMAT # # Shell 'printf' Formatting template for the --log-prefix value in log messages # generated by Shorewall to identify Shorewall log messages. The supplied # template is expected to accept either two or three arguments; the first is # the chain name, the second (optional) is the logging rule number within that # chain and the third is the ACTION specifying the disposition of the packet # being logged. You must use the %d formatting type for the rule number; if your # template does not contain %d then the rule number will not be included. # # If you want to integrate Shorewall with fireparse, then set LOGFORMAT as: # # LOGFORMAT="fp=%s:%d a=%s " # # If not specified or specified as empty (LOGFORMAT="") then the value # "Shorewall:%s:%s:" is assumed. # # CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up # to but not including the first '%') to find log messages in the 'show log', # 'status' and 'hits' commands. This part should not be omitted (the # LOGFORMAT should not begin with "%") and the leading part should be # sufficiently unique for /sbin/shorewall to identify Shorewall messages. LOGFORMAT="Shorewall:%s:%s:" # # LOG FORMAT Continued # # Using the default LOGFORMAT, chain names may not exceed 11 characters or # truncation of the log prefix may occur. Longer chain names may be used with # log tags if you set LOGTAGONLY=Yes. With LOGTAGONLY=Yes, if a log tag is # specified then the tag is included in the log prefix in place of the chain # name. # LOGTAGONLY=No # # LOG RATE LIMITING # # The next two variables can be used to control the amount of log output # generated. LOGRATE is expressed as a number followed by an optional # `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum # rate at which a particular message will occur. LOGBURST determines the # maximum initial burst size that will be logged. If set empty, the default # value of 5 will be used. # # If BOTH variables are set empty then logging will not be rate-limited. # # Example: # # LOGRATE=10/minute # LOGBURST=5 # # For each logging rule, the first time the rule is reached, the packet # will be logged; in fact, since the burst is 5, the first five packets # will be logged. After this, it will be 6 seconds (1 minute divided by # the rate of 10) before a message will be logged from the rule, regardless # of how many packets reach it. Also, every 6 seconds which passes without # matching a packet, one of the bursts will be regained; if no packets hit # the rule for 30 seconds, the burst will be fully recharged; back where # we started. # LOGRATE= LOGBURST= # # LOG ALL NEW # # This option should only be used when you are trying to analyze a problem. # It causes all packets in the Netfilter NEW state to be logged as the # first rule in each builtin chain. To use this option, set LOGALLNEW to # the log level that you want these packets logged at (e.g., # LOGALLNEW=debug). # LOGALLNEW= # # BLACKLIST LOG LEVEL # # Set this variable to the syslogd level that you want blacklist packets logged # (beware of DOS attacks resulting from such logging). If not set, no logging # of blacklist packets occurs. # # See the comment at the top of this section for a description of log levels
共8页: 上一页 [1] [2] 3 [4] [5] [6] [7] [8] 下一页 |