shorewall_code/STABLE/documentation/shorewall_logging.html
teastep dbfc838988 Shorewall 1.4.8
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@789 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2003-11-17 21:06:32 +00:00

181 lines
8.2 KiB
HTML
Executable File

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Shorewall Logging</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<h1 style="text-align: center;">Logging</h1>
<h2>How to Log Traffic through a Shorewall Firewall</h2>
The disposition of packets entering a Shorewall firewall&nbsp; is
determined by one of a number of Shorewall facilities. Only some of
these facilities permit logging.<br>
<ol>
<li>The packet is part of an established connection. The packet is
accepted and cannot be logged.</li>
<li>The packet represents a connection request that is related to an
established connection (such as a <a href="FTP.html">data connection
associated with an FTP control connection</a>).&nbsp; These packets
also cannot be logged.</li>
<li>The packet is rejected because of an option in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a> or <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
These packets can be logged by setting the appropriate logging-related
option in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The packet matches a rule in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.
By including a syslog level (see below) in the ACTION column of a rule
(e.g., "ACCEPT<span
style="font-weight: bold; text-decoration: underline;">:info</span>
net fw tcp 22"), the connection attempt will be logged at that level.</li>
<li>The packet doesn't match a rule so is handled by a policy defined
in <a href="Documentation.htm#Policy">/etc/shorewall/policy</a>. These
may be logged by specifying a syslog level in the LOG LEVEL column of
the policy entry (e.g., "loc net ACCEPT <span
style="font-weight: bold; text-decoration: underline;">info</span>"<br>
</li>
</ol>
<h2>Where the Traffic is logged and how to Change the Destination<br>
</h2>
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
classifies log messages by a <i>facility</i> and a <i>priority</i>
(using the notation <i>facility.priority</i>). <br>
<br>
The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i>
through <i>local7</i>.<br>
<br>
Throughout the Shorewall documentation, I will use the term <i>level</i>
rather than <i>priority</i> since <i>level</i> is the term used by
NetFilter. The syslog documentation uses the term <i>priority</i>.<br>
<h3>Syslog Levels<br>
</h3>
Syslog levels are a method of describing to syslog (8) the importance
of a message and a number of Shorewall parameters have a syslog level
as their value.<br>
<br>
Valid levels are:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">debug</span>
(Debug-level messages)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">info</span>
(Informational)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">notice</span>
(Normal but significant Condition)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span style="font-weight: bold;">
warning</span> (Warning Conditions)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">err</span>
(Error Conditions)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">crit</span>
(Critical Conditions)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">alert</span>
(Must be handled immediately)<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style="font-weight: bold;">emerg</span>
(System is unusable)<br>
<br>
For most Shorewall logging, a level of 6 (info) is appropriate.
Shorewall log messages are generated by NetFilter and are logged using
the <i>kern</i> facility and the level that you specify. If you are
unsure of the level to choose, 6 (info) is a safe bet. You may specify
levels by name or by number.<br>
<br>
Syslogd writes log messages to files (typically in /var/log/*)
based on their facility and level. The mapping of these facility/level
pairs to log files is done in /etc/syslog.conf (5). If you make changes
to this file, you must restart syslogd before the changes can take
effect.<br>
<h3>Configuring a Separate Log for Shorewall Messages</h3>
There are a couple of limitations to syslogd-based logging:<br>
<ol>
<li>If you give, for example, kern.info it's own log destination then
that destination will also receive all kernel messages of levels 5
(notice) through 0 (emerg).</li>
<li>All kernel.info messages will go to that destination and not just
those from NetFilter.<br>
</li>
</ol>
Beginning with Shorewall version 1.3.12, if your kernel has ULOG target
support (and most vendor-supplied kernels do), you may also specify a
log level of ULOG (must be all caps). When ULOG is used, Shorewall will
direct netfilter to log the related messages via the ULOG target which
will send them to a process called 'ulogd'. The ulogd program is
available from http://www.gnumonks.org/projects/ulogd and can be
configured to log all Shorewall message to their own log file.<br>
<br>
<b>Note: </b>The ULOG logging mechanism is <u>completely separate</u>
from syslog. Once you switch to ULOG, the settings in /etc/syslog.conf
have
absolutely no effect on your Shorewall logging (except for Shorewall
status
messages which still go to syslog).<br>
<br>
You will need to have the kernel source available to compile ulogd.<br>
<br>
Download the ulod tar file and:<br>
<ol>
<li>Be sure that /usr/src/linux is linked to your kernel source tree<br>
</li>
<li>cd /usr/local/src (or wherever you do your builds)</li>
<li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
<li>cd ulogd-<i>version</i><br>
</li>
<li>./configure</li>
<li>make</li>
<li>make install<br>
</li>
</ol>
If you are like me and don't have a development environment on your
firewall, you can do the first six steps on another system then either
NFS
mount your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
directory and move it to your firewall system.<br>
<br>
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
<ol>
<li>syslogfile <i>&lt;file that you wish to log to&gt;</i></li>
<li>syslogsync 1</li>
</ol>
Also on the firewall system:<br>
<blockquote>touch &lt;<i>file that you wish to log to</i>&gt;<br>
</blockquote>
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init
to /etc/init.d/ulogd. I had to edit the line that read "daemon
/usr/local/sbin/ulogd" to read daemon /usr/local/sbin/ulogd -d". On a
RedHat system, a simple
"chkconfig --level 3 ulogd on" starts ulogd during boot up. Your init
system
may need something else done to activate the script.<br>
<br>
You will need to change all instances of log levels (usually 'info') in
your configuration files to 'ULOG' - this includes entries in the
policy, rules and shorewall.conf files. Here's what I have:<br>
<pre> [root@gateway shorewall]# grep ULOG *<br> policy:loc&nbsp; fw&nbsp;&nbsp; REJECT&nbsp; ULOG<br> policy:net&nbsp; all&nbsp; DROP&nbsp;&nbsp;&nbsp; ULOG&nbsp;&nbsp;&nbsp;10/sec:40<br> policy:all&nbsp; all&nbsp; REJECT&nbsp; ULOG<br> rules:REJECT:ULOG loc net tcp 6667<br> shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG<br> shorewall.conf:RFC1918_LOG_LEVEL=ULOG<br> [root@gateway shorewall]#<br></pre>
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file
that you wish to log to&gt;</i>. This tells the /sbin/shorewall program
where to look for the log when processing its "show log", "logwatch"
and
"monitor" commands.<br>
<h2>Syslog-ng</h2>
<a
href="http://marc.theaimsgroup.com/?l=gentoo-security&amp;m=106040714910563&amp;w=2">Here</a>
is a post describing configuring syslog-ng to work with Shorewall.<br>
<p><font size="2"> Updated 10/30/2003 - <a href="support.htm">Tom
Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>
</p>
<br>
<br>
</body>
</html>