shorewall_code/Shorewall-docs/shorewall_logging.html
2002-12-29 18:23:07 +00:00

138 lines
5.9 KiB
HTML

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Shorewall Logging</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Logging</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
classifies log messages by a <i>facility</i> and a <i>priority</i> (using
the notation <i>facility.priority</i>). <br>
<br>
The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through
<i>local7</i>.<br>
<br>
Throughout the Shorewall documentation, I will use the term <i>level</i>
rather than <i>priority</i> since <i>level</i> is the term used by NetFilter.
The syslog documentation uses the term <i>priority</i>.<br>
<h3>Syslog Levels<br>
</h3>
Syslog levels are a method of describing to syslog (8) the importance
of a message and a number of Shorewall parameters have a syslog level as
their value.<br>
<br>
Valid levels are:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
debug<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
info<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
notice<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
warning<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
err<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
crit<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
alert<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
emerg<br>
<br>
For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
log messages are generated by NetFilter and are logged using the <i>kern</i>
facility and the level that you specify. If you are unsure of the level
to choose, 6 (info) is a safe bet. You may specify levels by name or by
number.<br>
<br>
Syslogd writes log messages to files (typically in /var/log/*) based
on their facility and level. The mapping of these facility/level pairs
to log files is done in /etc/syslog.conf (5). If you make changes to this
file, you must restart syslogd before the changes can take effect.<br>
<h3>Configuring a Separate Log for Shorewall Messages</h3>
There are a couple of limitations to syslogd-based logging:<br>
<ol>
<li>If you give, for example, kern.info it's own log destination then
that destination will also receive all kernel messages of levels 5 (notice)
through 0 (emerg).</li>
<li>All kernel.info messages will go to that destination and not just
those from NetFilter.<br>
</li>
</ol>
Beginning with Shorewall version 1.3.12, if your kernel has ULOG target
support (and most vendor-supplied kernels do), you may also specify a log
level of ULOG (must be all caps). When ULOG is used, Shorewall will direct
netfilter to log the related messages via the ULOG target which will send
them to a process called 'ulogd'. The ulogd program is available from http://www.gnumonks.org/projects/ulogd
and can be configured to log all Shorewall message to their own log file.<br>
<br>
Download the ulod tar file and:<br>
<ol>
<li>cd /usr/local/src (or wherever you do your builds)</li>
<li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
<li>cd ulogd-<i>version</i><br>
</li>
<li>./configure</li>
<li>make</li>
<li>make install<br>
</li>
</ol>
If you are like me and don't have a development environment on your firewall,
you can do the first five steps on another system then either NFS mount
your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
directory and move it to your firewall system.<br>
<br>
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
<ol>
<li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li>
<li>syslogsync 1</li>
</ol>
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init to
/etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple "chkconfig
--level 3 ulogd on" starts ulogd during boot up. Your init system may need
something else done to activate the script.<br>
<br>
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file
that you wish to log to&gt;</i>. This tells the /sbin/shorewall program
where to look for the log when processing its "show log", "logwatch" and
"monitor" commands.<br>
<p><font size="2"> Updated 12/29/2002 - <a
href="file:///home/teastep/Shorewall-docs/support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2001, 2002 Thomas M. Eastep</font></a></font><br>
</p>
<h2><br>
</h2>
</body>
</html>