[Fedora-infrastructure-list] epylog reports

[Luke Macken]

On Tue, Oct 17, 2006 at 12:09:55PM -0400, seth vidal wrote:
> On Tue, 2006-10-17 at 11:41 -0400, Luke Macken wrote:
> > On Tue, Oct 17, 2006 at 08:26:26AM -0500, Mike McGrath wrote:
> > > On 10/17/06, seth vidal <skvidal at linux.duke.edu> wrote:
> > > >Hey guys,
> > > > I've been somewhat annoyed by the reports we've been getting. Is there
> > > >a compelling reason why we need to have invalid connection attempts to
> > > >proxy* logged? Why don't we just remove the -J LOG call and REJECT the
> > > >connection normally?
> > > >
> > > >We're not going to DO anything about the connection so why not decrease
> > > >the garbage that we see in the log reports?
> > > >
> > > >-sv
> > > >
> > > 
> > > Fine with me, Luke what do you think?
> > 
> > Yeah, that noise definitely needs to stop.  I'll poke around at the
> > pyroman configs config later tonight and see if I can stop that.
> > 
> > For future reference, all of our firewall configurations are in
> > 'fedora-config/files/DEFAULT/etc/pyroman', and the logging in particular
> > is 04_log.py.  So feel free to fix up any problems that you see.
> > 
> > This is the chain that is causing the ruckus:
> > 
> >     ## Log dropped packets in a nicer format
> >     add_chain("USR_drop")
> >     for state in ("NEW", "ESTABLISHED", "RELATED", "INVALID", "SNAT", "DNAT"):
> >         iptables("USR_drop", "-m conntrack --ctstate %s -m limit --limit %s --limit-burst %s -j LOG --log-prefix \"CONN=%s \"" % (state, LOGLIMIT, LOGLIMITBURST, state))
> >     iptables("USR_drop", "-j DROP")
> > 
> > I guess the question is, what *do* we want to log?
> 
> Do we care? If the packet is being dropped does it matter if we know
> about it?
> 
> If we have a problem with a service breaking then we can turn on the
> logging and track it down - but if things are working why not just leave
> it off?

Works for me.  I added a LOGGING variable to 04_log.py, and set it to False
by default.  We can flip this on later if we need it.

luke