Page 1 of 1

How to send firewall events(reject/drop) to rsyslog

Posted: 2017/04/19 15:40:16
by ddolecki108
without rewriting all the rules to add the log option to them?

Re: How to send firewall events(reject/drop) to rsyslog

Posted: 2017/04/19 17:40:53
by hunter86_bg
Firewalld or iptables ? In both cases you might have to rewrite the rules.

Re: How to send firewall events(reject/drop) to rsyslog

Posted: 2017/04/19 18:22:24
by ddolecki108
This is the solution:
Upgrade to firewalld-0.4.3.2-8.el7

firewall-cmd --set-log-denied=<value>
value may be one of: all, unicast, broadcast, multicast, or off

set-log-denied=value

Add logging rules right before reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also final reject and drop rules in zones for the configured link-layer packet type. The possible values are: all, unicast, broadcast, multicast and off. The default setting is off, which disables the logging.

Re: How to send firewall events(reject/drop) to rsyslog

Posted: 2017/04/19 18:26:19
by ddolecki108
But this may well write the logs to /var/log/messages, any ideas on sending them to rsyslog?

Re: How to send firewall events(reject/drop) to rsyslog

Posted: 2017/04/22 08:06:11
by Al_Stu
Here's how I do it with iptables for accept logging. Just modify for reject/drop as desired.

/etc/rsyslog.conf

Code: Select all

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
/etc/rsyslog.d/iptables.conf

Code: Select all

# Log IPTables.
:app-name, startswith, "iptables" -/var/log/iptables/iptables.log
& stop
#:msg, startswith, "IPTABLES_" -/var/log/iptables/iptables.log
#& stop
:msg, startswith, "iptables: " -/var/log/iptables/iptables.log
& stop
:msg, regex, "^\[ *[0-9]*\.[0-9]*\] iptables: " -/var/log/iptables/iptables.log
& stop
#:msg, regex, "^.*iptables.*" -/var/log/iptables/iptables.log
#& stop
# Log IP Tables messages into separate file and stop further processing.
if ($syslogfacility-text == 'kern') and \
	($msg contains 'IN=' and $msg contains 'OUT=') \
	then {
	-/var/log/firewall
	stop
}
# Log IP Tables catch all
:msg, regex, "^.*iptables" -/var/log/iptables/iptables.log
:msg, regex, "^.*iptables" -/var/log/iptables/iptables_catchall.log
& stop
/etc/sysconfig/iptables

Code: Select all

*filter
. . .
:LOG_ACCEPT - [0:0]
-A INPUT -p udp -m udp --dport 1194 -j LOG_ACCEPT
. . .
-A LOG_ACCEPT -j LOG --log-prefix "iptables: ACCEPT: " --log-level 6
-A LOG_ACCEPT -j ACCEPT