20 April 2010

Logging Firewall messages to separate file

Categories:  Server  Gentoo  Linux

How to log Linux Iptables firewall releated messages to separate file.

If you have setup any IPtables based firewall, you have to know that tracking down firewall generated information it's not so easy task. Most likely firewall, will write to /var/log/messages or /var/log/syslog (depending on distribution and configuration). On my computers (both servers and desktops) I'm using very simple approach to have all the firewall information stored in a separate file. It's much easier to find the information I need and watch firewall events live when the information are stored in a separate file. This approach should work in any distribution, and any IPtables IPv4 based firewall, but as I'm a Gentoo user I will write all the steps that Gentoo Linux administrator have to perform to have a separate firewall log file.

To have separate firewall logging file we will use a spacial program named ulogd. The ulog deamon is able to store information in separate file or even database, if you need to. As I personally don't want to use any database, I will skip it, but configuration should be very similar, you will just need to create the database for it.

Before we will install ulog, we need to make sure that our kernel configuration, will let us using this logging program. You need netfilter target module for ulog. You can check if you have it with this simple command:

zcat /proc/config.gz | grep CONFIG_IP_NF_TARGET_ULOG

If you can see: "CONFIG_IP_NF_TARGET_ULOG=m" you are ready to go. If you however see: "# CONFIG_IP_NF_TARGET_ULOG is not set", then you need to enter your kernel path and change the kernel configuration. If you are using menuconfig, go to Networking Support -> Networking Options -> Network packet Filtering Framework (Netfilter) -> IP: Netfilter Configuration, mark the appropriate option save changes and recompile your kernel. Consult following screen shot.

Ulog Kernel Configuration

If we are sure that we have ulog target support in kernel netfilter configuration we may install ulogd now. In Gentoo we would do it this way:

emerge -av app-admin/ulogd

If you want to use database add USE flag that corresponds to your database name. For core file logging support no additional use flags are necessary.

Now edit ulogd configuration file in your favorite text editor to set up some options. For example:

nano /etc/ulogd.conf

To make ulogd log your firewall messages, you need to provide the output plug-in for it (same with databases just look at commented out lines in config file)

# output plug-ins.

Then go to plugin section of the configuration file and provide the file path:


That's all configuration you have to provide for file logging, for database, you would have to edit the database plug-in section to point to your database.

Now make sure the ulogd will start as system service and start it. In Gentoo we would do it this way:

rc-update add ulogd default
/etc/init.d/ulogd start

The last thing to do is to force our firewall to talk to ulogd. Normally in your IPtables configuration you would find lines like this:

  1. #allow connections to ssh
  2. -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j LOG --log-prefix "ACCEPT IP SSH: "
  3. -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

This way you can log firewall events to syslog before accepting connection, to use ulogd for logging just change those lines to:

  1. # allow connections to ssh
  2. -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ULOG --ulog-prefix "ACCEPT SSH: "
  3. -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

Of course you can keep the syslog target if you like, in case the ulogd server will crash. Having ulog let you observe what is going on in your firewall just by running simple command:

tail -f /var/log/firewall.log

To keep this article complete I must add that you should also create some log rotation file to handle the firewall logging rotation. It may look for example like this:

  1. /var/log/firewall.log {
  2. daily
  3. dateext
  4. olddir /var/log/old/firewall
  5. rotate 365
  6. missingok
  7. nocompress
  8. notifempty
  9. nocreate
  10. sharedscripts
  11. postrotate
  12. /etc/init.d/ulogd restart > /dev/null
  13. endscript
  14. }
  15. /var/log/ulog.log {
  16. daily
  17. nocreate
  18. dateext
  19. rotate 2
  20. olddir /var/log/old/ulog
  21. missingok
  22. notifempty
  23. nocompress
  24. sharedscripts
  25. postrotate
  26. /etc/init.d/ulogd restart > /dev/null
  27. endscript
  28. }

More info you will find here.


If you have found something wrong with the information provided above or maybe you just want to speak your mind about it, feel free to leave a comment.
All comments will show up on page after being approved. Sorry for such policy but I want to make sure that my site will be free of abusive or vulgar content. I don't mind being criticized just do it using right words.

Leave a comment