Logwatch is a great program, used by sysadmins everywhere. As part of it’s output, it shows any packets logged by iptables.
I have iptables set to log dropped packets, as it makes it FAR easier to debug server access issues. However, logwatch on RHEL/CentOS (and possibly other distributions) likes to report a nice big list of every single access attempt. As an example:
Logged 152 packets on interface eth2 From 8.31.57.109 - 1 packet to udp(1026) From 10.128.75.2 - 1 packet to udp(1434) From 21.197.212.79 - 1 packet to udp(1026) From 24.64.176.243 - 3 packets to udp(1026,1027,1028) From 24.64.178.77 - 3 packets to udp(1026,1027,1028)
This can get annoying if you have lots of packets dropped (eg: junk coming off my cable modem), as you have to scroll down 5 pages of log.
If you want to turn off this long list, and just see “Logged 152 packets on interface eth2”, you can make a minor tweak to the logwatch script to do this.
CentOS 4
Open the file “/etc/log.d/scripts/services/kernel”, and turn line 250 (or the line near there) into a comment by adding a # in front of it. Eg:
Line 250: # print $outputMain;
CentOS 5
Open the file “/usr/share/logwatch/scripts/services/iptables”, and change line 217 (or the one near there) into a comment by adding a # in front of it. Eg:
Line 217: # print $outputMain;
Other?
Using another distribution? See if either of the above applies for you, otherwise just look around for either a kernel or iptables service in the logwatch scripts directory. Use your package manager to help find where the files are. :-)
