Logging Firewall messages to separate file
How to log Linux Iptables firewall releated messages to separate file.
If you have setup any IPtables based firewall, you have to know that tracking down firewall generated information it's not so easy task. Most likely firewall, will write to /var/log/messages or /var/log/syslog (depending on distribution and configuration). On my computers (both servers and desktops) I'm using very simple approach to have all the firewall information stored in a separate file. It's much easier to find the information I need and watch firewall events live when the information are stored in a separate file. This approach should work in any distribution, and any IPtables IPv4 based firewall, but as I'm a Gentoo user I will write all the steps that Gentoo Linux administrator have to perform to have a separate firewall log file.
To have separate firewall logging file we will use a spacial program named ulogd. The ulog deamon is able to store information in separate file or even database, if you need to. As I personally don't want to use any database, I will skip it, but configuration should be very similar, you will just need to create the database for it.
Before we will install ulog, we need to make sure that our kernel configuration, will let us using this logging program. You need netfilter target module for ulog. You can check if you have it with this simple command:
zcat /proc/config.gz | grep CONFIG_IP_NF_TARGET_ULOG
If you can see: "CONFIG_IP_NF_TARGET_ULOG=m" you are ready to go. If you however see: "# CONFIG_IP_NF_TARGET_ULOG is not set", then you need to enter your kernel path and change the kernel configuration. If you are using menuconfig, go to Networking Support -> Networking Options -> Network packet Filtering Framework (Netfilter) -> IP: Netfilter Configuration, mark the appropriate option save changes and recompile your kernel. Consult following screen shot.
If we are sure that we have ulog target support in kernel netfilter configuration we may install ulogd now. In Gentoo we would do it this way:
emerge -av app-admin/ulogd
If you want to use database add USE flag that corresponds to your database name. For core file logging support no additional use flags are necessary.
Now edit ulogd configuration file in your favorite text editor to set up some options. For example:
nano /etc/ulogd.conf
To make ulogd log your firewall messages, you need to provide the output plug-in for it (same with databases just look at commented out lines in config file)
# output plug-ins. plugin="/usr/lib/ulogd/ulogd_LOGEMU.so"
Then go to plugin section of the configuration file and provide the file path:
[LOGEMU] file="/var/log/firewall.log" sync=1
That's all configuration you have to provide for file logging, for database, you would have to edit the database plug-in section to point to your database.
Now make sure the ulogd will start as system service and start it. In Gentoo we would do it this way:
rc-update add ulogd default /etc/init.d/ulogd start
The last thing to do is to force our firewall to talk to ulogd. Normally in your IPtables configuration you would find lines like this:
#allow connections to ssh -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j LOG --log-prefix "ACCEPT IP SSH: " -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
This way you can log firewall events to syslog before accepting connection, to use ulogd for logging just change those lines to:
# allow connections to ssh -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ULOG --ulog-prefix "ACCEPT SSH: " -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
Of course you can keep the syslog target if you like, in case the ulogd server will crash. Having ulog let you observe what is going on in your firewall just by running simple command:
tail -f /var/log/firewall.log
To keep this article complete I must add that you should also create some log rotation file to handle the firewall logging rotation. It may look for example like this:
/var/log/firewall.log { daily dateext olddir /var/log/old/firewall rotate 365 missingok nocompress notifempty nocreate sharedscripts postrotate /etc/init.d/ulogd restart > /dev/null endscript } /var/log/ulog.log { daily nocreate dateext rotate 2 olddir /var/log/old/ulog missingok notifempty nocompress sharedscripts postrotate /etc/init.d/ulogd restart > /dev/null endscript }
More info you will find here.
GNU Free Documentation License or Creative Commons Share Alike
If you have found something wrong with the information provided above or maybe you just want to speak your mind about it, feel free to leave a comment.
All comments will show up on page after being approved. Sorry for such policy but I want to make sure that my site will be free of abusive or vulgar content. I don't mind being criticized just do it using right words.
Processing a comment.