> You can use following entrys in your syslog-ng.conf to log firewall
> messages
> to a seperate file than the normal kernel output.
>
> # source kernsrc { file("/proc/kmsg"); };
> # destination kern { file("/var/log/kern.log"); };
> # destination firewall { file("/var/log/firewall.log"); };
> # filter f_firewall { match("firewall"); };
> # filter f_kern { facility(kern) and not filter(f_firewall);};
> # log { source(kernsrc); filter(f_kern); destination(kern); };
> # log { source(kernsrc); filter(f_firewall); destination(firewall); };
>
>Just wanted to say thank you for the input. You gave me a great idea where-as I used --log-prefix field in iptables to give each log a unique flag (in my case its "IPT" ie. --log-prefix "IPT New SSH on eth0". Then I filtered the syslog-ng on "IPT" and forwarded to /var/log/firewall.log JohnF -- gentoo-security@gentoo.org mailing list
