The problem is simple: you want to log the packets that your firewall drops, so you add a simple “iptables -A whatever -i eth0 -j LOG –log-prefix “INPUT DENIED “” just before the DROP/REJECT to your firewall script. Then netfilter logs all the packets to syslog with the kern facility. But then if you try to use the system console, it gets littered with all the logs about dropped packets.
So then you can comment out the line about /dev/console in /etc/syslog.conf but that stops ALL kernel messages from going to the console, which is also not desirable. You’re stuck.
One alternative is ulogd. Install that, configure it to log to syslog, but a different facility (like local5) and change the iptables line from “LOG” to “ULOG” and tell syslog where to log the local5 lines and you’re set.
That’s fine for the short term, but ulogd is arguably abandoned because the author is too busy. There is also a newer, unstable version (ulogd v2.x) that doesn’t work yet. And the project’s mailing list has people recommending other implementations because of limitations in ulogd.
Another option is syslog-ng, the so-called “Next Generation” syslog. However, it’s maintained by a company that doesn’t spend any effort packaging the “open source edition”. Neither ulogd or syslog-ng is easy to obtain from standard repositories.
And then there’s the plans for RHEL6 to move to rsyslog. So I guess we should be using rsyslog?
I think I’ll stick with ulogd for EL4/5 since that requires the fewest changes from stock configuration.