=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
TESTING YOUR INSTALLATION:

The psad installer does its best to reconfigure your syslog daemon to write
all kern.info messages (or higher) to the /var/lib/psad/psadfifo named pipe
for analysis.  However, in order to test whether your installation is working
or not, you can do the following as root:

  $ iptables -I INPUT -i lo -p tcp --dport 3003 -j LOG --log-prefix "Inbound "
  $ telnet localhost 3003

Assuming that psad is running, this should generate in /var/log/psad/fwdata
something similar to:

  Jun 15 23:37:33 <your_hostname> kernel: Inbound IN=lo OUT=
  MAC=<mac_addresses> SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x10 PREC=0x00
  TTL=64 ID=47312 DF PROTO=TCP SPT=40945 DPT=3003 WINDOW=32767 RES=0x00 SYN
  URGP=0

Also, executing "psad --Status" should display (among other things) something
like:

    Iptables prefix counters:
        "Inbound": 1


If the /var/log/psad/fwdata file is empty but you are getting messages in the
system log (for example when you type "dmesg" or in /var/log/messages), then
you should make sure that psad has the fifo open:

  $ lsof | grep psadfifo

You should get something along the lines of:

  syslogd     942   root   20u   FIFO  3,5   544097 /var/lib/psad/psadfifo
  kmsgsd    25457   root    0u   FIFO  3,5   544097 /var/lib/psad/psadfifo

The main requirement is that Netfilter logs are getting logged via kern.info
(or at a higher priority such as "warn") by syslog.  The default for the
Netfilter LOG target is log Netfilter messages at the "warn" priority, but
this can be changed with the --log-level option.  For example, to have
Netfilter generate logs at the "info" priority in the INPUT chain, the
following command could be used:

# iptables -A INPUT -j LOG --log-level info

This may help cut down on Netfilter logs being sent to the console if your
syslog.conf instructs syslog to log kernel messages at a "warn" level or
higher to the console device.