Advice and answers from the Dome9 Security Team

Dome9 Agent version 1.6 and above supports configuration of local logging policy. The following guide will help you configure Dome9 logging with the powerful syslog-ng daemon.

  1. Locate the syslog-ng.conf file, usually under /etc/syslog-ng/ and edit it.
  2. Add a destination file for iptables logs at the bottom section, just before the final include and add these 3 lines
    destination iptables { file("/var/log/iptables"); };
    filter f_iptables { facility(kern) and match ("DOME9_" value("MESSAGE")); };
    log { source(s_src); filter(f_iptables); destination(iptables); };

    * note that s_src is your general source directive as defined in the syslog-ng.conf
  3. Filter out the iptables messages from messages, syslog and kern.log by locating their respected lines in the conf and and adding  and not filter(f_iptables)  as shown below:
    filter f_messages { not facility(auth, authpriv, kern) and not filter(f_iptables); };
  4. Restart syslog-ng
    service syslog-ng restart
Did this answer your question?