| iptables LOG target in VE :: supported? [message #15906] |
Wed, 15 August 2007 17:41  |
rickb
Messages: 368
Registered: October 2006
|
Senior Member |
|
|
Hello friends.
I am attempting to use the iptables log target in the VE.
[root@arsenic ~]# lsmod | grep -i log
ipt_LOG 7712 56
ip_tables 23472 16 ipt_recent,ipt_REDIRECT,iptable_nat,ipt_state,ipt_length,ipt_ttl,ipt_tcpmss,ipt_TCPMSS,iptable_mangle,iptable_filter,ipt_multiport,ipt_limit,ipt_LOG,ipt_TOS,ipt_tos,ipt_REJECT
[root@arsenic ~]#
[root@arsenic ~]# vzctl enter 9890933
entered into VE 9890933
[root@dark /]#
[root@dark /]# grep LOG /proc/net/ip_tables_targets
LOG
When I create a simple logging rule such as: '-A INPUT -p tcp --dport 22 -j LOG', no messages seem to be hitting syslog. I tested this with a Centos4 VE.
Am I missing something here or is the log target unsupported in the VE context? If so, I will create a bugzilla report.
Thank you
Rick
-------------
Common Terms I post with: http://wiki.openvz.org/Category:Definitions
UBC. Learn it, love it, live it: http://wiki.openvz.org/Proc/user_beancounters
|
|
|
|
|
|
| Re: iptables LOG target in VE :: supported? [message #15930 is a reply to message #15908] |
Thu, 16 August 2007 07:26  |
khorenko
Messages: 533
Registered: January 2006
Location: Moscow, Russia
|
Senior Member |
|
|
1) does 'dmesg' shows the logs from ipt_LOG?
2) is klogd runnig inside a VE? (by default it's not)
i guess this (2) is the reason. Could you please check?
Thank you,
Konstantin.
If your problem is solved - please, report it!
It's even more important than reporting the problem itself...
|
|
|
|
|
|
| Re: iptables LOG target in VE :: supported? [message #20226 is a reply to message #20152] |
Thu, 13 September 2007 14:21 |
khorenko
Messages: 533
Registered: January 2006
Location: Moscow, Russia
|
Senior Member |
|
|
Well, we do change syslog in template's post-install scripts to skip klogd startup, but you can undo the changes - just diff syslog init script from a VE and from the normal system.
The idea is "passed klogd skipped $KLOGD_OPTIONS" -> "daemon klogd $KLOGD_OPTIONS", the same for stopping and might be some other pieces of code dealing with klogd in /etc/rc.d/init.d/syslog.
If your problem is solved - please, report it!
It's even more important than reporting the problem itself...
|
|
|
|
|
|
| Re: iptables LOG target in VE :: supported? [message #20269 is a reply to message #20228] |
Fri, 14 September 2007 13:04 |
khorenko
Messages: 533
Registered: January 2006
Location: Moscow, Russia
|
Senior Member |
|
|
At the very beginning kernel log simply was not virtualized.
So this was just a redundant process inside a VE.
Time changes but nobody asked about it so it was left as is.
One more reason: klogd calls sync() quite often and on a heavy loaded nodes this might be a long operation cause it affects all VEs on the node.
If your problem is solved - please, report it!
It's even more important than reporting the problem itself...
|
|
|
|
|
|
|
|
| Re: iptables LOG target in VE :: supported? [message #20276 is a reply to message #20275] |
Fri, 14 September 2007 13:57 |
khorenko
Messages: 533
Registered: January 2006
Location: Moscow, Russia
|
Senior Member |
|
|
| finist wrote on Thu, 13 September 2007 18:21 |
The idea is "passed klogd skipped $KLOGD_OPTIONS" -> "daemon klogd $KLOGD_OPTIONS", the same for stopping and might be some other pieces...
|
| ugob wrote on Fri, 14 September 2007 17:29 |
I guess I would have to change the stop() as well? Otherwise klogd is not killed at stop.
|
Yes, you are right.
| ugob wrote on Fri, 14 September 2007 17:22 |
Ok
I think this should be documented somewhere... What do you think?
I can help if needed.
|
Well, agree, it makes sense to document it. i suppose a wiki page devoted to klogd would be perfect and it would be great if you can help us creating it. So if you have time, you are welcome.
If your problem is solved - please, report it!
It's even more important than reporting the problem itself...
|
|
|
|
|
|
|
|
OpenVZ Forum
Members
Search
Help
Register
Login
Home
