{"id":4755,"date":"2022-12-20T18:36:51","date_gmt":"2022-12-20T21:36:51","guid":{"rendered":"http:\/\/lode.uno\/linux-man\/index.php\/2022\/12\/20\/shorewalllogging-man5\/"},"modified":"2022-12-20T18:36:51","modified_gmt":"2022-12-20T21:36:51","slug":"shorewalllogging-man5","status":"publish","type":"post","link":"https:\/\/lode.uno\/linux-man\/2022\/12\/20\/shorewalllogging-man5\/","title":{"rendered":"SHOREWALL−LOGGING (man5)"},"content":{"rendered":"

SHOREWALL\u2212LOGGING<\/h1>\n

NAME<\/a>
SYNOPSIS<\/a>
DESCRIPTION<\/a>
DEFAULT LOGGING<\/a>
SYSLOG LEVELS<\/a>
CONFIGURING A SEPARATE LOG FOR SHOREWALL MESSAGES (ULOGD)<\/a>
UNDERSTANDING THE CONTENTS OF SHOREWALL LOG MESSAGES<\/a>
CUSTOMIZING THE CONTENT OF SHOREWALL LOG MESSAGES<\/a>
LOG BACKENDS<\/a>
SEE ALSO<\/a>
NOTES<\/a> <\/p>\n

\n

NAME <\/a> <\/h2>\n

logging \u2212 Shorewall logging<\/p>\n

SYNOPSIS <\/a> <\/h2>\n\n\n\n\n
<\/td>\n\n

action<\/i>:<\/b>level<\/i><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n\n

NFLOG(<\/b>nflog\u2212parameters<\/i>)<\/b><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n
<\/td>\n\n

ULOG(<\/b>ulog\u2212parameters<\/i>)<\/b><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

DESCRIPTION <\/a> <\/h2>\n

The disposition of packets entering a Shorewall firewall is determined by one of a number of Shorewall facilities. Only some of these facilities permit logging.<\/p>\n

1. The packet is part of an established connection. While the packet can be logged using LOG rules in the ESTABLISHED section of \/etc\/shorewall\/rules<\/font><\/b> [1]<\/font><\/small> , that is not recommended because of the large amount of information that may be logged.<\/font><\/p>\n

2. The packet represents a connection request that is related to an established connection (such as a<\/font> data connection associated with an FTP control connection<\/font><\/b> [2]<\/font><\/small> ). These packets may be logged using LOG rules in the RELATED section of<\/font> shorewall\u2212rules(5)<\/font><\/b> [1]<\/font><\/small> .<\/font><\/p>\n

3. The packet is rejected because of an option in<\/font> shorewall.conf<\/font><\/b> [3]<\/font><\/small> (5) or<\/font> shorewall\u2212interfaces(5)<\/font><\/b> [4]<\/font><\/small> . These packets can be logged by setting the appropriate logging\u2212related option in<\/font> \/etc\/shorewall\/shorewall.conf<\/font><\/b> [3]<\/font><\/small> .<\/font><\/p>\n

4. The packet matches a rule in<\/font> shorewall\u2212rules<\/font><\/b> [1]<\/font><\/small> (5). By including a syslog level (see below) in the ACTION column of a rule (e.g., \u201cACCEPT:info<\/b> net $FW tcp 22\u201d), the connection attempt will be logged at that level.<\/font><\/p>\n

5. The packet doesn’t match a rule so it is handled by a policy defined in<\/font> shorewall\u2212policy(5)<\/font><\/b> [5]<\/font><\/small> . These may be logged by specifying a syslog level in the LOG LEVEL column of the policy’s entry (e.g., \u201cloc net ACCEPT info<\/b>\u201d).<\/font><\/p>\n

DEFAULT LOGGING <\/a> <\/h2>\n

By default, Shorewall directs Netfilter to log using syslog (8). Syslog classifies log messages by a facility<\/i> and a priority<\/i> (using the notation facility.priority<\/i>).<\/font><\/p>\n

The facilities defined by syslog are auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, syslog, user, uucp<\/i> and local0<\/i> through local7.<\/i><\/font><\/p>\n

Throughout the Shorewall documentation, the term level<\/i> rather than priority is used,<\/i> since level<\/i> is the term used by Netfilter. The syslog documentation uses the term priority<\/i>.<\/font><\/p>\n

SYSLOG LEVELS <\/a> <\/h2>\n

Syslog levels are a method of describing to syslog (8) the importance of a message. A number of Shorewall parameters have a syslog level as their value.<\/font><\/p>\n

Valid levels are:<\/font><\/p>\n

7 \u2212 debug<\/b> (Debug\u2212level
messages)
6 \u2212 info<\/b>
(Informational)
5 \u2212 notice<\/b> (Normal but
significant Condition)
4 \u2212 warning<\/b> (Warning
Condition)
3 \u2212 err<\/b> (Error
Condition)
2 \u2212 crit<\/b> (Critical
Conditions)
1 \u2212 alert<\/b> (must be handled
immediately)
0 \u2212 emerg<\/b> (System is
unusable)<\/font><\/p>\n

For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall log messages are generated by Netfilter and are logged using the kern<\/i> facility and the level that you specify. If you are unsure of the level to choose, 6 (info) is a safe bet. You may specify levels by name or by number.<\/font><\/p>\n

Beginning with Shorewall 4.5.5, the level<\/i> name or number may be optionally followed by a comma\u2212separated list of one or more log options<\/i>. The list is enclosed in parentheses. Log options cause additional information to be included in each log message.<\/font><\/p>\n

Valid log options are:<\/font><\/p>\n

ip_options<\/b><\/font><\/p>\n

Log messages will include the option settings from the IP header.<\/font><\/p>\n

macdecode<\/b><\/font><\/p>\n

Decode the MAC address and protocol.<\/font><\/p>\n

tcp_sequence<\/b><\/font><\/p>\n

Include TCP sequence numbers.<\/font><\/p>\n

tcp_options<\/b><\/font><\/p>\n

Include options from the TCP header.<\/font><\/p>\n

uid<\/b><\/font><\/p>\n

Include the UID of the sending program; only valid for packets originating on the firewall itself.<\/font><\/p>\n

Example: info(tcp_options,tcp_sequence)<\/b><\/font><\/p>\n

Syslogd writes log messages to files (typically in \/var\/log\/*) based on their facility and level. The mapping of these facility\/level pairs to log files is done in \/etc\/syslog.conf (5). If you make changes to this file, you must restart syslogd before the changes can take effect.<\/font><\/p>\n

Syslog may also write to your system console. See<\/font> Shorewall FAQ 16<\/font><\/b> [6]<\/font><\/small> for ways to avoid having Shorewall messages written to the console.<\/font><\/p>\n

CONFIGURING A SEPARATE LOG FOR SHOREWALL MESSAGES (ULOGD) <\/a> <\/h2>\n

There are a couple of limitations to syslogd\u2212based logging:<\/font><\/p>\n

1. If you give, for example, kern.info its own log destination then that destination will also receive all kernel messages of levels 5 (notice) through 0 (emerg).<\/font><\/p>\n

2. All kernel.info messages will go to that destination and not just those from Netfilter.<\/font><\/p>\n

3. Netfilter (Shorewall) messages show up in dmesg<\/b>.<\/font><\/p>\n

If your kernel has NFLOG target support (and most vendor\u2212supplied kernels do), you may also specify a log level of NFLOG (must be all caps). When NFLOG is used, Shorewall will direct Netfilter to log the related messages via the NFLOG target which will send them to a process called \u201culogd\u201d. The ulogd program is included in most distributions.<\/font><\/p>\n

Note<\/big><\/b>
The NFLOG logging mechanism is completely separate<\/i> from syslog. Once you switch to NFLOG, the settings in \/etc\/syslog.conf have absolutely no effect on your Shorewall logging (except for Shorewall status messages which still go to syslog).<\/font><\/p>\n

You will need to change all instances of log levels (usually \u201cinfo\u201d) in your Shorewall configuration files to \u201cNFLOG\u201d \u2212 this includes entries in the policy, rules and shorewall.conf files. If you initially installed using Shorewall 5.1.2 or later, you can simply change the setting of LOG_LEVEL in shorewall.conf.<\/font><\/p>\n

UNDERSTANDING THE CONTENTS OF SHOREWALL LOG MESSAGES <\/a> <\/h2>\n

For general information on the contents of Netfilter log messages, see<\/font> http:\/\/logi.cc\/en\/2010\/07\/netfilter\u2212log\u2212format\/<\/font><\/b>.<\/font><\/p>\n

For Shorewall\u2212specific information, see<\/font> FAQ #17<\/font><\/b> [7]<\/font><\/small> .<\/font><\/p>\n

CUSTOMIZING THE CONTENT OF SHOREWALL LOG MESSAGES <\/a> <\/h2>\n

In a Shorewall logging rule, the log level can be followed by a log tag as in “DROP:NFLOG:junk”. The generated log message will include “chain\u2212name<\/i> junk DROP”.<\/font><\/p>\n

By setting the LOGTAGONLY option to Yes in<\/font> shorewall.conf(5)<\/font><\/b> [8]<\/font><\/small> or<\/font> shorewall6.conf(5)<\/font><\/b> [8]<\/font><\/small> , the disposition (‘DROP’ in the above example) will be omitted. Consider the following rule:<\/font><\/p>\n

#ACTION SOURCE DEST PROTO
REJECT(icmp\u2212proto\u2212unreachable):notice:IPv6 loc net 41 # who’s using IPv6 tunneling<\/font><\/p>\n

This rule generates the following warning at compile time:<\/font><\/p>\n

WARNING: Log Prefix shortened to “Shorewall:IPv6:REJECT(icmp\u2212p ”
\/etc\/shorewall\/rules (line 212)<\/font><\/p>\n

and produces the rather ugly prefix “Shorewall:IPv6:REJECT(icmp\u2212p “.<\/font><\/p>\n

Now consider this similar rule:<\/font><\/p>\n

#ACTION SOURCE DEST PROTO
REJECT(icmp\u2212proto\u2212unreachable):notice:IPv6,tunneling loc net 41 # who’s using IPv6 tunneling<\/font><\/p>\n

With LOGTAGONLY=Yes, no warning is generated and the prefix becomes “Shorewall:IPv6:tunneling:”<\/font><\/p>\n

See the<\/font> shorewall[6].conf man page<\/font><\/b> [8]<\/font><\/small> for further information about how LOGTAGONLY=Yes can be used.<\/font><\/p>\n

LOG BACKENDS <\/a> <\/h2>\n

Netfilter logging allows configuration of multiple backends. Logging backends provide the The low\u2212level forward of log messages. There are currently three backends:<\/font><\/p>\n

LOG (ipt_LOG and ip6t_LOG).<\/font><\/p>\n

Normal kernel\u2212based logging to a syslog daemon.<\/font><\/p>\n

ULOG (ipt_ULOG)<\/font><\/p>\n

ULOG logging as described ablve. Only available for IPv4.<\/font><\/p>\n

netlink (nfnetlink_log)<\/font><\/p>\n

The logging backend behind NFLOG, defined above.<\/font><\/p>\n

The currently\u2212available and currently\u2212selected IPv4 and IPv6 backends are shown in \/proc\/sys\/net\/netfilter\/nf_log:<\/font><\/p>\n

cat \/proc\/net\/netfilter\/nf_log
0 NONE (nfnetlink_log)
1 NONE (nfnetlink_log)
2 ipt_ULOG (ipt_ULOG,ipt_LOG,nfnetlink_log)
3 NONE (nfnetlink_log)
4 NONE (nfnetlink_log)
5 NONE (nfnetlink_log)
6 NONE (nfnetlink_log)
7 NONE (nfnetlink_log)
8 NONE (nfnetlink_log)
9 NONE (nfnetlink_log)
10 ip6t_LOG (ip6t_LOG,nfnetlink_log)
11 NONE (nfnetlink_log)
12 NONE (nfnetlink_log)<\/font><\/p>\n

The magic numbers (0\u221212) are Linux address family numbers (AF_INET is 2 and AF_INET6 is 10).<\/font><\/p>\n

The name immediately following the number is the currently\u2212selected backend, and the ones in parentheses are the ones that are available. You can change the currently selected backend by echoing it’s name into \/proc\/net\/netfilter\/nf_log.number<\/i>.<\/font><\/p>\n

Example \u2212 change the IPv4 backend to LOG:<\/font><\/p>\n

sysctl net.netfilter.nf_log.2=ipt_LOG<\/font><\/p>\n

Beginning with Shorewall 4.6.4, you can configure the backend using the LOG_BACKEND option in<\/font> shorewall.conf(5)<\/font><\/b> [3]<\/font><\/small> and<\/font> shorewall6.conf(5)<\/font><\/b> [3]<\/font><\/small> .<\/font><\/p>\n

SEE ALSO <\/a> <\/h2>\n

https:\/\/shorewall.org\/shorewall_logging.html<\/font><\/b> [9]<\/font><\/small><\/p>\n

NOTES <\/a> <\/h2>\n\n\n
<\/td>\n\n

1.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

\/etc\/shorewall\/rules<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-rules.html<\/font><\/p>\n\n\n
<\/td>\n\n

2.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

data connection associated with an FTP control connection<\/font><\/p>\n<\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/FTP.html<\/font><\/p>\n\n\n
<\/td>\n\n

3.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall.conf<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall.conf.html<\/font><\/p>\n\n\n
<\/td>\n\n

4.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-interfaces(5)<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-interfaces.html<\/font><\/p>\n\n\n
<\/td>\n\n

5.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-policy(5)<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-policy.html<\/font><\/p>\n\n\n
<\/td>\n\n

6.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

Shorewall FAQ 16<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/FAQ.htm#faq16<\/font><\/p>\n\n\n
<\/td>\n\n

7.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

FAQ #17<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/FAQ.htm#faq17<\/font><\/p>\n\n\n
<\/td>\n\n

8.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall.conf(5)<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall.conf.html<\/font><\/p>\n\n\n
<\/td>\n\n

9.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

https:\/\/shorewall.org\/shorewall_logging.html<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/shorewall_logging.htm<\/font><\/p>\n

\n","protected":false},"excerpt":{"rendered":"

logging \u2212 Shorewall logging <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[959],"tags":[961,1291,1673],"class_list":["post-4755","post","type-post","status-publish","format-standard","hentry","category-5-formatos-de-ficheros","tag-961","tag-man5","tag-shorewall-logging"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/4755","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=4755"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/4755\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=4755"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=4755"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=4755"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}