forked from extern/shorewall_code
138 lines
5.9 KiB
HTML
138 lines
5.9 KiB
HTML
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||
|
|
<html>
|
||
|
|
<head>
|
||
|
|
<title>Shorewall Logging</title>
|
||
|
|
<meta http-equiv="content-type"
|
||
|
|
content="text/html; charset=ISO-8859-1">
|
||
|
|
<meta name="author" content="Tom Eastep">
|
||
|
|
</head>
|
||
|
|
<body>
|
||
|
|
<table border="0" cellpadding="0" cellspacing="0"
|
||
|
|
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||
|
|
id="AutoNumber1" bgcolor="#400169" height="90">
|
||
|
|
<tbody>
|
||
|
|
<tr>
|
||
|
|
<td width="100%">
|
||
|
|
|
||
|
|
<h1 align="center"><font color="#ffffff">Logging</font></h1>
|
||
|
|
</td>
|
||
|
|
</tr>
|
||
|
|
|
||
|
|
</tbody>
|
||
|
|
</table>
|
||
|
|
<br>
|
||
|
|
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
|
||
|
|
classifies log messages by a <i>facility</i> and a <i>priority</i> (using
|
||
|
|
the notation <i>facility.priority</i>). <br>
|
||
|
|
<br>
|
||
|
|
The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
|
||
|
|
kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through
|
||
|
|
<i>local7</i>.<br>
|
||
|
|
<br>
|
||
|
|
Throughout the Shorewall documentation, I will use the term <i>level</i>
|
||
|
|
rather than <i>priority</i> since <i>level</i> is the term used by NetFilter.
|
||
|
|
The syslog documentation uses the term <i>priority</i>.<br>
|
||
|
|
|
||
|
|
<h3>Syslog Levels<br>
|
||
|
|
</h3>
|
||
|
|
Syslog levels are a method of describing to syslog (8) the importance
|
||
|
|
of a message and a number of Shorewall parameters have a syslog level as
|
||
|
|
their value.<br>
|
||
|
|
<br>
|
||
|
|
Valid levels are:<br>
|
||
|
|
<br>
|
||
|
|
7
|
||
|
|
debug<br>
|
||
|
|
6
|
||
|
|
info<br>
|
||
|
|
5
|
||
|
|
notice<br>
|
||
|
|
4
|
||
|
|
warning<br>
|
||
|
|
3
|
||
|
|
err<br>
|
||
|
|
2
|
||
|
|
crit<br>
|
||
|
|
1
|
||
|
|
alert<br>
|
||
|
|
0
|
||
|
|
emerg<br>
|
||
|
|
<br>
|
||
|
|
For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
|
||
|
|
log messages are generated by NetFilter and are logged using the <i>kern</i>
|
||
|
|
facility and the level that you specify. If you are unsure of the level
|
||
|
|
to choose, 6 (info) is a safe bet. You may specify levels by name or by
|
||
|
|
number.<br>
|
||
|
|
<br>
|
||
|
|
Syslogd writes log messages to files (typically in /var/log/*) based
|
||
|
|
on their facility and level. The mapping of these facility/level pairs
|
||
|
|
to log files is done in /etc/syslog.conf (5). If you make changes to this
|
||
|
|
file, you must restart syslogd before the changes can take effect.<br>
|
||
|
|
|
||
|
|
<h3>Configuring a Separate Log for Shorewall Messages</h3>
|
||
|
|
There are a couple of limitations to syslogd-based logging:<br>
|
||
|
|
|
||
|
|
<ol>
|
||
|
|
<li>If you give, for example, kern.info it's own log destination then
|
||
|
|
that destination will also receive all kernel messages of levels 5 (notice)
|
||
|
|
through 0 (emerg).</li>
|
||
|
|
<li>All kernel.info messages will go to that destination and not just
|
||
|
|
those from NetFilter.<br>
|
||
|
|
</li>
|
||
|
|
</ol>
|
||
|
|
Beginning with Shorewall version 1.3.12, if your kernel has ULOG target
|
||
|
|
support (and most vendor-supplied kernels do), you may also specify a log
|
||
|
|
level of ULOG (must be all caps). When ULOG is used, Shorewall will direct
|
||
|
|
netfilter to log the related messages via the ULOG target which will send
|
||
|
|
them to a process called 'ulogd'. The ulogd program is available from http://www.gnumonks.org/projects/ulogd
|
||
|
|
and can be configured to log all Shorewall message to their own log file.<br>
|
||
|
|
<br>
|
||
|
|
Download the ulod tar file and:<br>
|
||
|
|
|
||
|
|
<ol>
|
||
|
|
<li>cd /usr/local/src (or wherever you do your builds)</li>
|
||
|
|
<li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
|
||
|
|
<li>cd ulogd-<i>version</i><br>
|
||
|
|
</li>
|
||
|
|
<li>./configure</li>
|
||
|
|
<li>make</li>
|
||
|
|
<li>make install<br>
|
||
|
|
</li>
|
||
|
|
</ol>
|
||
|
|
If you are like me and don't have a development environment on your firewall,
|
||
|
|
you can do the first five steps on another system then either NFS mount
|
||
|
|
your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
|
||
|
|
directory and move it to your firewall system.<br>
|
||
|
|
<br>
|
||
|
|
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
|
||
|
|
|
||
|
|
<ol>
|
||
|
|
<li>syslogfile <i><file that you wish to log to></i></li>
|
||
|
|
<li>syslogsync 1</li>
|
||
|
|
</ol>
|
||
|
|
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init to
|
||
|
|
/etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
|
||
|
|
to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple "chkconfig
|
||
|
|
--level 3 ulogd on" starts ulogd during boot up. Your init system may need
|
||
|
|
something else done to activate the script.<br>
|
||
|
|
<br>
|
||
|
|
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i><file
|
||
|
|
that you wish to log to></i>. This tells the /sbin/shorewall program
|
||
|
|
where to look for the log when processing its "show log", "logwatch" and
|
||
|
|
"monitor" commands.<br>
|
||
|
|
|
||
|
|
<p><font size="2"> Updated 12/29/2002 - <a
|
||
|
|
href="file:///home/teastep/Shorewall-docs/support.htm">Tom Eastep</a>
|
||
|
|
</font></p>
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||
|
|
© <font size="2">2001, 2002 Thomas M. Eastep</font></a></font><br>
|
||
|
|
</p>
|
||
|
|
|
||
|
|
<h2><br>
|
||
|
|
</h2>
|
||
|
|
</body>
|
||
|
|
</html>
|