[Novalug] Fwd: logging process associated with a connection

shawn wilson ag4ve.us@gmail.com
Mon Mar 10 03:21:00 EDT 2014


I sent this to the netfilter (iptables) list a few days ago and haven't had
a reply. Anyone here have any suggestions?
---------- Forwarded message ----------
From: "shawn wilson" <ag4ve.us@gmail.com>
Date: Mar 7, 2014 4:54 PM
Subject: logging process associated with a connection
To: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Cc:

What I ideally want is to log the cmdline associated with an outbound
packet. However, I'm open to suggestions.

What I have is:
Mar  7 16:30:25 name kernel: [618790.917928] FW: output REJECT IN=
OUT=eth1 SRC=1.2.3.4 DST=5.6.7.8 LEN=94 TOS=0x00 PREC=0x00 TTL=64
ID=56030 DF PROTO=UDP SPT=55207 DPT=514 LEN=74
(as one example - I can break out tshark and probably figure out what
it is, but I want something more in my logs)

I see this about auditd:
http://serverfault.com/questions/192893/how-i-can-identify-which-process-is-making-udp-traffic-on-linux
Specifically: # auditctl -a exit,always -F arch=b64 -F a0=2 -F a1=2 -S
socket -k SOCKET
Which isn't telling me what I want to know (or really, doesn't seem to
be reporting for each log I'm getting from ipt). Besides, if I've
already got an ipt LOG, why should I be using another tool for similar
info - this seems wasteful?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.firemountain.net/pipermail/novalug/attachments/20140310/fc44cf03/attachment.htm>


More information about the Novalug mailing list