<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Shorewall Logging</title> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> <meta name="author" content="Tom Eastep"> </head> <body> <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse;" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> <tbody> <tr> <td width="100%"> <h1 align="center"><font color="#ffffff">Logging</font></h1> </td> </tr> </tbody> </table> <br> By default, Shorewall directs NetFilter to log using syslog (8). Syslog classifies log messages by a <i>facility</i> and a <i>priority</i> (using the notation <i>facility.priority</i>). <br> <br> The facilities defined by syslog are <i>auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through <i>local7</i>.<br> <br> Throughout the Shorewall documentation, I will use the term <i>level</i> rather than <i>priority</i> since <i>level</i> is the term used by NetFilter. The syslog documentation uses the term <i>priority</i>.<br> <h3>Syslog Levels<br> </h3> Syslog levels are a method of describing to syslog (8) the importance of a message and a number of Shorewall parameters have a syslog level as their value.<br> <br> Valid levels are:<br> <br> 7 debug<br> 6 info<br> 5 notice<br> 4 warning<br> 3 err<br> 2 crit<br> 1 alert<br> 0 emerg<br> <br> For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall log messages are generated by NetFilter and are logged using the <i>kern</i> facility and the level that you specify. If you are unsure of the level to choose, 6 (info) is a safe bet. You may specify levels by name or by number.<br> <br> Syslogd writes log messages to files (typically in /var/log/*) based on their facility and level. The mapping of these facility/level pairs to log files is done in /etc/syslog.conf (5). If you make changes to this file, you must restart syslogd before the changes can take effect.<br> <h3>Configuring a Separate Log for Shorewall Messages</h3> There are a couple of limitations to syslogd-based logging:<br> <ol> <li>If you give, for example, kern.info it's own log destination then that destination will also receive all kernel messages of levels 5 (notice) through 0 (emerg).</li> <li>All kernel.info messages will go to that destination and not just those from NetFilter.<br> </li> </ol> Beginning with Shorewall version 1.3.12, if your kernel has ULOG target support (and most vendor-supplied kernels do), you may also specify a log level of ULOG (must be all caps). When ULOG is used, Shorewall will direct netfilter to log the related messages via the ULOG target which will send them to a process called 'ulogd'. The ulogd program is available from http://www.gnumonks.org/projects/ulogd and can be configured to log all Shorewall message to their own log file.<br> <br> <b>Note: </b>The ULOG logging mechanism is <u>completely separate</u> from syslog. Once you switch to ULOG, the settings in /etc/syslog.conf have absolutely no effect on your Shorewall logging (except for Shorewall status messages which still go to syslog).<br> <br> You will need to have the kernel source available to compile ulogd.<br> <br> Download the ulod tar file and:<br> <ol> <li>Be sure that /usr/src/linux is linked to your kernel source tree<br> </li> <li>cd /usr/local/src (or wherever you do your builds)</li> <li>tar -zxf <i>source-tarball-that-you-downloaded</i></li> <li>cd ulogd-<i>version</i><br> </li> <li>./configure</li> <li>make</li> <li>make install<br> </li> </ol> If you are like me and don't have a development environment on your firewall, you can do the first six steps on another system then either NFS mount your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i> directory and move it to your firewall system.<br> <br> Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br> <ol> <li>syslogfile <i><file that you wish to log to></i></li> <li>syslogsync 1</li> </ol> I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init to /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd" to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple "chkconfig --level 3 ulogd on" starts ulogd during boot up. Your init system may need something else done to activate the script.<br> <br> You will need to change all instances of log levels (usually 'info') in your configuration files to 'ULOG' - this includes entries in the policy, rules and shorewall.conf files. Here's what I have:<br> <pre> [root@gateway shorewall]# grep ULOG *<br> policy:loc fw REJECT ULOG<br> policy:net all DROP ULOG 10/sec:40<br> policy:all all REJECT ULOG<br> rules:REJECT:ULOG loc net tcp 6667<br> shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG<br> shorewall.conf:RFC1918_LOG_LEVEL=ULOG<br> [root@gateway shorewall]#<br></pre> Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i><file that you wish to log to></i>. This tells the /sbin/shorewall program where to look for the log when processing its "show log", "logwatch" and "monitor" commands.<br> <p><font size="2"> Updated 1/11/2003 - <a href="support.htm">Tom Eastep</a> </font></p> <p><a href="copyright.htm"><font size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br> </p> </body> </html>