How to send firewall events(reject/drop) to rsyslog

Support for security such as Firewalls and securing linux
ddolecki108
Posts: 17
Joined: 2017/02/28 20:46:44

How to send firewall events(reject/drop) to rsyslog

Postby ddolecki108 » 2017/04/19 15:40:16

without rewriting all the rules to add the log option to them?

hunter86_bg
Posts: 439
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: How to send firewall events(reject/drop) to rsyslog

Postby hunter86_bg » 2017/04/19 17:40:53

Firewalld or iptables ? In both cases you might have to rewrite the rules.

ddolecki108
Posts: 17
Joined: 2017/02/28 20:46:44

Re: How to send firewall events(reject/drop) to rsyslog

Postby ddolecki108 » 2017/04/19 18:22:24

This is the solution:
Upgrade to firewalld-0.4.3.2-8.el7

firewall-cmd --set-log-denied=<value>
value may be one of: all, unicast, broadcast, multicast, or off

set-log-denied=value

Add logging rules right before reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also final reject and drop rules in zones for the configured link-layer packet type. The possible values are: all, unicast, broadcast, multicast and off. The default setting is off, which disables the logging.

ddolecki108
Posts: 17
Joined: 2017/02/28 20:46:44

Re: How to send firewall events(reject/drop) to rsyslog

Postby ddolecki108 » 2017/04/19 18:26:19

But this may well write the logs to /var/log/messages, any ideas on sending them to rsyslog?

Al_Stu
Posts: 28
Joined: 2010/09/14 21:05:16

Re: How to send firewall events(reject/drop) to rsyslog

Postby Al_Stu » 2017/04/22 08:06:11

Here's how I do it with iptables for accept logging. Just modify for reject/drop as desired.

/etc/rsyslog.conf

Code: Select all

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf


/etc/rsyslog.d/iptables.conf

Code: Select all

# Log IPTables.
:app-name, startswith, "iptables" -/var/log/iptables/iptables.log
& stop
#:msg, startswith, "IPTABLES_" -/var/log/iptables/iptables.log
#& stop
:msg, startswith, "iptables: " -/var/log/iptables/iptables.log
& stop
:msg, regex, "^\[ *[0-9]*\.[0-9]*\] iptables: " -/var/log/iptables/iptables.log
& stop
#:msg, regex, "^.*iptables.*" -/var/log/iptables/iptables.log
#& stop
# Log IP Tables messages into separate file and stop further processing.
if ($syslogfacility-text == 'kern') and \
   ($msg contains 'IN=' and $msg contains 'OUT=') \
   then {
   -/var/log/firewall
   stop
}
# Log IP Tables catch all
:msg, regex, "^.*iptables" -/var/log/iptables/iptables.log
:msg, regex, "^.*iptables" -/var/log/iptables/iptables_catchall.log
& stop


/etc/sysconfig/iptables

Code: Select all

*filter
. . .
:LOG_ACCEPT - [0:0]
-A INPUT -p udp -m udp --dport 1194 -j LOG_ACCEPT
. . .
-A LOG_ACCEPT -j LOG --log-prefix "iptables: ACCEPT: " --log-level 6
-A LOG_ACCEPT -j ACCEPT


Return to “CentOS 7 - Security Support”

Who is online

Users browsing this forum: No registered users and 1 guest