Blog
Better living through linux firewall logging
Sometimes it’s the little things that drive you crazy. Like when you do a tail of /var/log/messages on someone’s linux system only to find a sea of iptables log entries. Denied DHCP broadcast queries, multicast DNS, everything. It takes just an extra step to tack on a grep to clear out this stuff, but as any sysadmin can tell you, the little things add up to a lot of time and aggravation. In addition, the sea of irrelevant denies does little to tell you who’s actually attempting to get into your systems. With just a few extra switches in iptables, you can send your firewall log to its own file.
Many people seem to like logging denies in their input chain, to see what attempts are made to access the host. Not a bad idea. We’ll do the same thing here, but redirect everything to a separate file at /var/log/firewall. Note that there are several ways to go about this. We’ll accomplish the task by setting the log level to debug, and configure syslogd to send kernel debug messages to /var/log/firewall. You might notice that all kernel debug messages will go to this file, not just netfilter logging. However, the amount of spurious messages will be small.
First, configure syslog to log kernel debug level messages to /var/log/firewall by editing /etc/syslog.conf:
kern.debug /var/log/firewall
Next, configure your iptables logging rules to log to kern.debug, putting your entry just before your drop:
iptables -A my_input_chain -j LOG --log-level 7 -m limit --limit 15/minute --log-prefix "Dropped: "
I’ve added a few extra options on here to make the log a little more readable, such as adding a basic explanatory prefix and limiting the rate at which entries can be appended to the log.
Now your /var/log/firewall log will start filling like crazy. You’ll need to rotate it! I just add /var/log/firewall to the list of system logs in /etc/logrotate.d/syslog:
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler
/var/log/boot.log /var/log/cron /var/log/firewall {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
/bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
To get this whole process rolling, reload iptables and syslog (in RHEL or CentOS) :
/sbin/service syslog restart /sbin/service iptables restart
That’s all there is to it. Obviously there are a million more sophisticated options you can do with iptables. This is just a sample to get you some basic logging without clogging up /var/log/messages with irrelevant stuff!
Posted in Linux, Security, System Administration, Tips and Tricks