Logging

Logging

[Svenne Krap]

Hi.

I am currently working on a not so simple firewall setup on a modern 
machine (Xeon, Gigs of memory, SCSI subsystem).

As part of it, I would like to know various "event" statistics.Questions 
I would like to answer is "How many hits on port 1433 have i got, and 
how is that distributed amongst the machines". Think pivot table data.

Is there some way to get netfilter to collect rule hits (like with no -j 
clause) for a each port/ip-address individually within a range ?
Other than creating thousands of lines of rules and add them to my 
"firewall-startup" script (which is currently slightly less than 80 rules).

I have thought of just logging all traffic and running it through a 
userspace program via syslog-ng, but frankly I worry about performance 
(the firewall should be able to filter at least the 100Mbps connection, 
it currently sits on) under flooding.

Your thoughs are apprieciated :)

Svenne

Re: Logging

[Chris Brenton]

On Thu, 2005-08-11 at 11:49, Svenne Krap wrote:
>
> Is there some way to get netfilter to collect rule hits (like with no -j 
> clause) for a each port/ip-address individually within a range ?
> Other than creating thousands of lines of rules and add them to my 
> "firewall-startup" script (which is currently slightly less than 80 rules).

Have LogWatch process the /var/log/message file and produce a medium
level detail report. You'll get output similar to the following:

Dropped 603 packets on interface eth3
  From 4.78.20.2 - 12 packets to udp(53)
  From 12.120.1.21 - 10 packets to
tcp(4355,10045,12579,17520,18552,36906,53249,54319,58702,62703)
  From 12.120.1.22 - 9 packets to
tcp(4063,11107,13063,30538,37001,40758,45575,48153,57370)
  From 12.130.62.16 - 24 packets to udp(53)
  From 60.26.129.15 - 8 packets to
tcp(5554,9898,5554,9898,5554,9898,5554,9898)
  From 61.152.167.59 - 4 packets to tcp(22,22,22,22)
  From 61.221.58.212 - 4 packets to tcp(22,22,22,22)
  From 62.105.6.52 - 1 packet to icmp(0)

You can then further parse it as needed. You don't need a unique log
rule for each port and/or IP. LogWatch will sort it all out for you. 

HTH,
Chris

Re: Logging

[Grant Taylor]

Svenne Krap wrote:
> Hi.
> 
> I am currently working on a not so simple firewall setup on a modern 
> machine (Xeon, Gigs of memory, SCSI subsystem).
> 
> As part of it, I would like to know various "event" statistics.Questions 
> I would like to answer is "How many hits on port 1433 have i got, and 
> how is that distributed amongst the machines". Think pivot table data.
> 
> Is there some way to get netfilter to collect rule hits (like with no -j 
> clause) for a each port/ip-address individually within a range ?
> Other than creating thousands of lines of rules and add them to my 
> "firewall-startup" script (which is currently slightly less than 80 rules).
> 
> I have thought of just logging all traffic and running it through a 
> userspace program via syslog-ng, but frankly I worry about performance 
> (the firewall should be able to filter at least the 100Mbps connection, 
> it currently sits on) under flooding.
> 
> Your thoughs are apprieciated :)
> 
> Svenne
> 


You might want to take a look at the ACCOUNT match (http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-ACCOUNT).



Grant. . . .

logging

[IT Clown]

Hi All
                                                            
                                                            
   
Does any one know what the local0 - local7 ( locally
defined levels ) would log in syslog. I know that when i
use the following:
daemon.*
local2.*
                                                            
                                                            
   
i log ppp. What do the rest log ( local0 - local7 )?
                                                            
                                                            
   
Regards
______________________________________________________________
Herbalife Independent Distributor http://www.healthiest.co.za

Re: logging

[Antony Stone]

On Sunday 25 April 2004 4:32 pm, IT Clown wrote:

> Hi All
>
> Does any one know what the local0 - local7 ( locally
> defined levels ) would log in syslog.

The name is a bit of a clue: "locally defined levels" are locally defined - 
ie: you can use them on your system for whatever you want - there's no 
convention or standard way of using these - they're provided so that you can 
do things with them which aren't convenient to do using the other pre-defined 
levels.

Regards,

Antony.

-- 
90% of networking problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.

                                                     Please reply to the list;
                                                           please don't CC me.

logging

[ip tables]

hello all,

I need to get a hint on how to log traffic on a
firewall using iptables. I have setup some rules but i
don't know how to log certain things such as port scan
attempts or other break-in attempts. Do i need to have
an IDS for it?

Thanks

__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html

logging

[IT Clown]

Hi

Thanks i googled abit and found something else but its
logging to terminal and to a log file how do i get rid of
the terminal logging? Apparently you have to remove
anything like: /dev/console, "root" or '8' in syslog.conf
and there is nothing like that in it.I added the following
to syslog.conf:

kern.* /var/log/iptables

Regards
__________________________________________________________________________
http://www.webmail.co.za/dialup Webmail ISP - Cool Connection, Cool Price

Re: logging

[D. Prima Prayudi]

If you have difficulties with that I suggest you use ulogd daemon since
with syslogd the log from the kernel and iptables will be mixed-up.

Regards, D. Prima Prayudi

IPv6-enabled
ARC-ITB 2001:d30:3:160::2/64

On Thu, 1 Apr 2004, IT Clown wrote:

> Hi
>
> Thanks i googled abit and found something else but its
> logging to terminal and to a log file how do i get rid of
> the terminal logging? Apparently you have to remove
> anything like: /dev/console, "root" or '8' in syslog.conf
> and there is nothing like that in it.I added the following
> to syslog.conf:
>
> kern.* /var/log/iptables
>
> Regards
> __________________________________________________________________________
> http://www.webmail.co.za/dialup Webmail ISP - Cool Connection, Cool Price
>
>

logging

[IT Clown]

Hi

How do you log your iptables activity to a file because all
the activity is being displayed in my terminal while im
busy working.I would like to log it to
/var/log/iptables.
 Do i need to configure syslog.conf? how would i need to
configure it?

Regards
__________________________________________________________________________
http://www.webmail.co.za/dialup Webmail ISP - Cool Connection, Cool Price

Re: logging

[Mark Page]

C'mon Clown, you can do it ;-) - there is so much stuff out on the net
regarding  iptables/netfilter - I presume you have a browser?

This is a really general question which you could get answered in ten
minutes by reading a few articles.

try this one: 

https://lists.balabit.hu/pipermail/syslog-ng/2003-April/004990.html

On Wed, 2004-03-31 at 10:18, IT Clown wrote: 
> Hi
> 
> How do you log your iptables activity to a file because all
> the activity is being displayed in my terminal while im
> busy working.I would like to log it to
> /var/log/iptables.
>  Do i need to configure syslog.conf? how would i need to
> configure it?
> 
> Regards
> __________________________________________________________________________
> http://www.webmail.co.za/dialup Webmail ISP - Cool Connection, Cool Price
> 

RE: Logging

[Hurley, Michael]

Try something like this:

set logging to, for example,
iptables -A FORWARD -j LOG --log-level 7 --log-prefix "FORWARD: "

Then in /etc/syslog.conf:
kern.7	-/var/log/firewall



-----Original Message-----
From: Mario Udina [mailto:m.udina@libero.it]
Sent: Monday, March 15, 2004 10:51 AM
To: netfilter@lists.netfilter.org
Subject: Logging


Hello!

I have done some googling however did not manage to find out if there
is a way to define a file where iptables writes its logs.

As I read in the man the file where the logs are written is the kernel
log i.e. /var/log/messages

is there a way to send this output to another file in order to keep the
logs clean?

regards,
	Mario Udina
-- 
i would like to die as my gradfather did, quietly in his sleep
and not in panic and disbelief as the passengers of his bus.

Logging

[Mario Udina]

Hello!

I have done some googling however did not manage to find out if there
is a way to define a file where iptables writes its logs.

As I read in the man the file where the logs are written is the kernel
log i.e. /var/log/messages

is there a way to send this output to another file in order to keep the
logs clean?

regards,
	Mario Udina
-- 
i would like to die as my gradfather did, quietly in his sleep
and not in panic and disbelief as the passengers of his bus.

Re: Logging

[Frederic de Villamil]

On Mon, 15 Mar 2004, Mario Udina wrote:

> Hello!
>
> I have done some googling however did not manage to find out if there
> is a way to define a file where iptables writes its logs.
>
> As I read in the man the file where the logs are written is the kernel
> log i.e. /var/log/messages
>
> is there a way to send this output to another file in order to keep the
> logs clean?
>
> regards,

Hi Mario,
maybe what you're looking for is in /etc/syslog.conf.

--
< Ylli> lol je rigole neuro jte prend pa pr un pervers ms un president
et pere de famille respectable :s
http://www.seclab.jp

Re: Logging

[Antony Stone]

On Monday 15 March 2004 3:51 pm, Mario Udina wrote:

> Hello!
>
> I have done some googling however did not manage to find out if there
> is a way to define a file where iptables writes its logs.
>
> As I read in the man the file where the logs are written is the kernel
> log i.e. /var/log/messages
>
> is there a way to send this output to another file in order to keep the
> logs clean?

netfilter logs via syslogd, therefore by changing the --log-level option to 
the LOG target you can get messages sent to some other file as specified in 
your syslog.conf (however you may not be able to keep them *completely* 
separate from other messages, depending on how you arrange syslog.conf).

If you want to change the syslog facility as well as the level, which is the 
ideal solution, you'll have to hack the netfilter logging source code :(

Antony.

-- 
The first fifty percent of an engineering project takes ninety percent of the 
time, and the remaining fifty percent takes another ninety percent of the 
time.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Logging

[Frank Gruellich]

* Mario Udina <m.udina@libero.it> 15. Mar 04:
> Hello!

Hi,

> As I read in the man the file where the logs are written is the kernel
> log i.e. /var/log/messages

Maybe, by default.

> is there a way to send this output to another file in order to keep the
> logs clean?

This is not possible with iptables or netfilter.  You want to read the
man page of your sysklogd, especially of syslog.conf.  You can specify
priority in a rule.   Maybe you want to use another syslogger (syslog-ng
provides file redirect on patterns, AFAIK, would be usefull with the
--log-prefix option.).

HTH,
 regards, Frank.
-- 
Sigmentation fault

Re: Logging

[forum]

> I have done some googling however did not manage to find out if there is
> a way to define a file where iptables writes its logs.

In UNIX, the 'syslog' interface uses two parameters for any information 
logged:

The logging facility
The logging level

I believe the facility is fixed to kernel, but the level can be changed. 
Corresponding to that is the configuration in syslog.conf

Another useful thing is --log-prefix in the iptables command, which lets 
you output a descriptive log prefix. You can then script your own log 
placement, using grep or something.

-- 
forum@users.pc9.org

logging

[Philippe Dhont (Sea-ro)]

hi all,

i use fwbuilder to configure a firewall script
This seems to work but all my logging comes into my command prompt and in my
/var/log/messages
Now, i only want them in my /var/log/messages and NOT on my screen (very
annoying)
what do i have to do for that ?

regards,

Philippe Dhont 

Logging

[Subba Rao]

Hi

I have the following rules to allow traffic on SMTP port.

--------------------
iptables -A INPUT -i $EXTERNAL_IF -p tcp --destination-port 25 -j LOG \
                --log-level 4 --log-prefix "Incoming Mail Traffic "
iptables -A INPUT -i $EXTERNAL_IF -p tcp --destination-port 25 -j ACCEPT
--------------------

The default policy is on the INPUT chain is to drop the packets.  How do I capture
what is being dropped?

My goal is to log the inbound traffic and my syslog has the following
configuration:

--------------------
*.=info;*.=notice;mail.none                     /usr/adm/messages
*.=alert                                        /usr/adm/messages
*.=crit                                         /usr/adm/debug
mail.*                                          /var/log/mail-log
kern.*                                          /var/log/messages
user.*                                          /var/log/messages
syslog.*                                        /var/log/messages
auth.*                                          /var/log/messages
authpriv.*                                      /var/log/messages
--------------------

Is this configuration sufficient to capture the inbound connections?

-- 

Subba Rao
subba9@cablespeed.com

Re: Logging

[Athan]

[-- Attachment #1: Type: text/plain, Size: 1634 bytes --]

On Tue, Jan 14, 2003 at 01:23:10PM -0500, Subba Rao wrote:
> --------------------
> iptables -A INPUT -i $EXTERNAL_IF -p tcp --destination-port 25 -j LOG \
>                 --log-level 4 --log-prefix "Incoming Mail Traffic "
> iptables -A INPUT -i $EXTERNAL_IF -p tcp --destination-port 25 -j ACCEPT
> --------------------
> 
> The default policy is on the INPUT chain is to drop the packets.  How do I capture
> what is being dropped?

  iptables -A INPUT -i $EXTERNAL_IF -j LOG --log-level 4 \
  	--log-prefix "Dropped Incoming "

Remember a LOG target simply LOGs then returns, so it'll still drop
through to the policy after this.

> My goal is to log the inbound traffic and my syslog has the following
> configuration:
> 
> --------------------
> *.=info;*.=notice;mail.none                     /usr/adm/messages
> *.=alert                                        /usr/adm/messages
> *.=crit                                         /usr/adm/debug
> mail.*                                          /var/log/mail-log
> kern.*                                          /var/log/messages

   All iptables -j LOG goes to kern.*, so you should see it in your
/var/log/messages.  You could also use --log-level 7 (DEBUG) instead
and:

kern.=debug			/var/log/iptables

Note you _CAN_ also do --log-level debug to make things clearer.

HTH,

-Ath
-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
                  Finger athan(at)fysh.org for PGP key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]

Re: Logging

[Dharmendra.T]

On Tue, 2003-01-14 at 23:53, Subba Rao wrote:
> Hi
> 
> I have the following rules to allow traffic on SMTP port.
> 
> --------------------
> iptables -A INPUT -i $EXTERNAL_IF -p tcp --destination-port 25 -j LOG \
>                 --log-level 4 --log-prefix "Incoming Mail Traffic "
> iptables -A INPUT -i $EXTERNAL_IF -p tcp --destination-port 25 -j ACCEPT
> --------------------
> 
> The default policy is on the INPUT chain is to drop the packets.  How do I capture
> what is being dropped?
> 
> My goal is to log the inbound traffic and my syslog has the following
> configuration:
> 
> --------------------
> *.=info;*.=notice;mail.none                     /usr/adm/messages
> *.=alert                                        /usr/adm/messages
> *.=crit                                         /usr/adm/debug
> mail.*                                          /var/log/mail-log
> kern.*                                          /var/log/messages
> user.*                                          /var/log/messages
> syslog.*                                        /var/log/messages
> auth.*                                          /var/log/messages
> authpriv.*                                      /var/log/messages
> --------------------
> 
> Is this configuration sufficient to capture the inbound connections?
> 
> -- 
> 
> Subba Rao
> subba9@cablespeed.com
> 

Hi Rao,

 Just add a rule after the default policy. This should give you all the
packets which are dropped.

iptables -A INPUT -j LOG
iptables -A OUTPUT -j LOG
iptables -A FORWARD -j LOG
-- 
Dharmendra.T
Linux Enthu

Re: Logging

[Antony Stone]

On Monday 21 October 2002 10:04 pm, Tasha Smith wrote:

> I was wandering if you can help me with my logging rules. Ill give you my
> rules exactly what they look like now (without typos) :)  And i scanned it
> with nmap from a machine NOT ROUTED by the firewall machine! And i get no
> LOG file.

No typos, heh :-) ?

Anyway, can you explain those last two comments - where are you scanning from 
(I don't understand your routing comment) - and "you get no log file" - do 
you mean you never get any logs at all, or you get log entries on the screen 
but not in a file, or you get logs sometimes, but not when you're doing a 
particular type of scan ?

> I even added this to my syslog.conf file......
>
>  kern.warn                            /var/log/fwlog

Does this successfully log anything at all ?  I mean, if you insert a rule 
right at the start of your INPUT chain:
iptables -I INPUT -j LOG --log-prefix "fwlog: "

Does anything go into /var/log/fwlog ?

(I would expect you to have to add the option "--log-level=warn" to match the 
entry in your syslog.conf file.)

>  How can i get this machine to log STEALTH port scans and stuff???

Explain what you mean by a Stealth port scan ?   If yu;re using nmap, what 
options are you using ?

> iptables           --flush
> iptables -t -nat   --flush
> iptables -t mangle --flush
>
> iptables -A INPUT  -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> iptables --policy INPUT DROP
> iptables --policy FORWARD DROP
> iptables --policy OUTPUT ACCEPT
>
> iptables -A INPUT      -p tcp --tcp-flags ALL NONE -j DROP
> iptables -A FORWARD    -p tcp --tcp-flags ALL NONE -j DROP

Do you get the same result from your port scan (and your logs) if you remove 
these two rules ?

> iptables -A INPUT    -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FOWWARD  -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> iptables -A INPUT -i eth0 -p udp \
>          -s ISP.DHCP  --sport 67 \
>          --dport 68 -j ACCEPT
> iptables -A OUTPUT -o eth0 -p udp \
>          -s eth0 --sport 68 \
>          -d ISP.DHCP --dport 67 -j ACCEPT
>
> iptables -A FORWARD -i eth1 -o eth0 -s 192.168.0.0/24 -j ACCEPT
>
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> iptables -A INPUT -i eth0 -p tcp \
>          --dport 22,25,111,1024,1025 -j LOG --log-prefix "Log-test: "

Okay, so this LOGging rule is last in your INPUT chain, just before the 
default DROP policy.

I assume you are scanning the Firewall address itself ?

By the way, what result do you get from the scan ?   Does it suggest you have 
closed ports, open ones, nothing accessible, what ?

What happens if you simply ssh to the Firewall, or telnet to port 25 ?   Do 
you see a log entry then ?

Antony.

-- 

Having been asked to provide a reference for this man,
I can confidently state that you will be very lucky indeed
if you can get him to work for you.