# 0 emerg
#
# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
# log messages are generated by NetFilter and are logged using facility
# 'kern' and the level that you specifify. If you are unsure of the level
# to choose, 6 (info) is a safe bet. You may specify levels by name or by
# number.
#
# If you have built your kernel with ULOG target support, you may also
# specify a log level of ULOG (must be all caps). Rather than log its
# messages to syslogd, Shorewall will direct netfilter to log the messages
# via the ULOG target which will send them to a process called 'ulogd'.
# ulogd is available with most Linux distributions (although it probably isn't
# installed by default). Ulogd is also available from
# http://www.gnumonks.org/projects/ulogd and can be configured to log all
# Shorewall message to their own log file
################################################################################
#
# LOG FILE LOCATION
#
# This variable tells the /sbin/shorewall program where to look for Shorewall
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
# /var/log/messages is assumed.
#
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
# look for Shorewall messages.It does NOT control the destination for
# these messages. For information about how to do that, see
#
# http://www.shorewall.net/shorewall_logging.html
LOGFILE=/var/log/messages
#
# LOG FORMAT
#
# Shell 'printf' Formatting template for the --log-prefix value in log messages
# generated by Shorewall to identify Shorewall log messages. The supplied
# template is expected to accept either two or three arguments; the first is
# the chain name, the second (optional) is the logging rule number within that
# chain and the third is the ACTION specifying the disposition of the packet
# being logged. You must use the %d formatting type for the rule number; if your
# template does not contain %d then the rule number will not be included.
#
# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as:
#
# LOGFORMAT="fp=%s:%d a=%s "
#
# If not specified or specified as empty (LOGFORMAT="") then the value
# "Shorewall:%s:%s:" is assumed.
#
# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up
# to but not including the first '%') to find log messages in the 'show log',
# 'status' and 'hits' commands. This part should not be omitted (the
# LOGFORMAT should not begin with "%") and the leading part should be
# sufficiently unique for /sbin/shorewall to identify Shorewall messages.
LOGFORMAT="Shorewall:%s:%s:"
#
# LOG FORMAT Continued
#
# Using the default LOGFORMAT, chain names may not exceed 11 characters or
# truncation of the log prefix may occur. Longer chain names may be used with
# log tags if you set LOGTAGONLY=Yes. With LOGTAGONLY=Yes, if a log tag is
# specified then the tag is included in the log prefix in place of the chain
# name.
#
LOGTAGONLY=No
#
# LOG RATE LIMITING
#
# The next two variables can be used to control the amount of log output
# generated. LOGRATE is expressed as a number followed by an optional
# `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum
# rate at which a particular message will occur. LOGBURST determines the
# maximum initial burst size that will be logged. If set empty, the default
# value of 5 will be used.
#
# If BOTH variables are set empty then logging will not be rate-limited.
#
# Example:
#
# LOGRATE=10/minute
# LOGBURST=5
#
# For each logging rule, the first time the rule is reached, the packet
# will be logged; in fact, since the burst is 5, the first five packets
# will be logged. After this, it will be 6 seconds (1 minute divided by
# the rate of 10) before a message will be logged from the rule, regardless
# of how many packets reach it. Also, every 6 seconds which passes without
# matching a packet, one of the bursts will be regained; if no packets hit
# the rule for 30 seconds, the burst will be fully recharged; back where
# we started.
#
LOGRATE=
LOGBURST=
#
# LOG ALL NEW
#
# This option should only be used when you are trying to analyze a problem.
# It causes all packets in the Netfilter NEW state to be logged as the
# first rule in each builtin chain. To use this option, set LOGALLNEW to
# the log level that you want these packets logged at (e.g.,
# LOGALLNEW=debug).
#
LOGALLNEW=
#
# BLACKLIST LOG LEVEL
#
# Set this variable to the syslogd level that you want blacklist packets logged
# (beware of DOS attacks resulting from such logging). If not set, no logging
# of blacklist packets occurs.
#
# See the comment at the top of this section for a description of log levels
共8页: 上一页 [1] [2] 3 [4] [5] [6] [7] [8] 下一页 |
