How to send firewall events(reject/drop) to rsyslog
-
- Posts: 39
- Joined: 2017/02/28 20:46:44
How to send firewall events(reject/drop) to rsyslog
without rewriting all the rules to add the log option to them?
-
- Posts: 2019
- Joined: 2015/02/17 15:14:33
- Location: Bulgaria
- Contact:
Re: How to send firewall events(reject/drop) to rsyslog
Firewalld or iptables ? In both cases you might have to rewrite the rules.
-
- Posts: 39
- Joined: 2017/02/28 20:46:44
Re: How to send firewall events(reject/drop) to rsyslog
This is the solution:
Upgrade to firewalld-0.4.3.2-8.el7
firewall-cmd --set-log-denied=<value>
value may be one of: all, unicast, broadcast, multicast, or off
set-log-denied=value
Add logging rules right before reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also final reject and drop rules in zones for the configured link-layer packet type. The possible values are: all, unicast, broadcast, multicast and off. The default setting is off, which disables the logging.
Upgrade to firewalld-0.4.3.2-8.el7
firewall-cmd --set-log-denied=<value>
value may be one of: all, unicast, broadcast, multicast, or off
set-log-denied=value
Add logging rules right before reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also final reject and drop rules in zones for the configured link-layer packet type. The possible values are: all, unicast, broadcast, multicast and off. The default setting is off, which disables the logging.
-
- Posts: 39
- Joined: 2017/02/28 20:46:44
Re: How to send firewall events(reject/drop) to rsyslog
But this may well write the logs to /var/log/messages, any ideas on sending them to rsyslog?
Re: How to send firewall events(reject/drop) to rsyslog
Here's how I do it with iptables for accept logging. Just modify for reject/drop as desired.
/etc/rsyslog.conf
/etc/rsyslog.d/iptables.conf
/etc/sysconfig/iptables
/etc/rsyslog.conf
Code: Select all
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
Code: Select all
# Log IPTables.
:app-name, startswith, "iptables" -/var/log/iptables/iptables.log
& stop
#:msg, startswith, "IPTABLES_" -/var/log/iptables/iptables.log
#& stop
:msg, startswith, "iptables: " -/var/log/iptables/iptables.log
& stop
:msg, regex, "^\[ *[0-9]*\.[0-9]*\] iptables: " -/var/log/iptables/iptables.log
& stop
#:msg, regex, "^.*iptables.*" -/var/log/iptables/iptables.log
#& stop
# Log IP Tables messages into separate file and stop further processing.
if ($syslogfacility-text == 'kern') and \
($msg contains 'IN=' and $msg contains 'OUT=') \
then {
-/var/log/firewall
stop
}
# Log IP Tables catch all
:msg, regex, "^.*iptables" -/var/log/iptables/iptables.log
:msg, regex, "^.*iptables" -/var/log/iptables/iptables_catchall.log
& stop
Code: Select all
*filter
. . .
:LOG_ACCEPT - [0:0]
-A INPUT -p udp -m udp --dport 1194 -j LOG_ACCEPT
. . .
-A LOG_ACCEPT -j LOG --log-prefix "iptables: ACCEPT: " --log-level 6
-A LOG_ACCEPT -j ACCEPT