5

I am running an Ubuntu Server 14.04 system with a shorewall firewall. Shorewall is essentially a front end to iptables, and it is iptables that does the logging via Netfilter (my understanding so far).

My problem is that I can't make sense of the shorewall docs regarding logging to a different destination. This is how far I've come:

  • I installed and started ulogd
  • I defined a variable in /etc/shorewall/params: LOG=NFLOG
  • I changed all occurrences of info to $LOG in /etc/shorewall/shorewall.conf
  • I set the log destination in /etc/shorewall/shorewall.conf: LOGFILE=/var/log/shorewall

This supposedly accomplishes the following: Netfilter logs to the NFLOG (successor to ULOG) destination, which means Netfilter log messages are handled by ulogd2.

What I don't know, is how I can tell ulogd2 to write all shorewall messages to my desired log file /var/log/shorewall.

The documentation is rather unclear on this, as this forum thread testifies. This blog post I found is equally vague, regarding ulogd2's log redirection.

In summary:

  1. Is my approach for redirecting shorewall log messages to ulogd2 correct at all?
  2. How can I configure ulogd2 to redirect shorewall's messages to /var/log/shorewall?

PS: I am not asking this question on AskUbuntu, because this is equally relevant for other Linux distributions.

Community
  • 1
derabbink
  • 251
  • 4
  • 16

2 Answers2

4

Ubuntu uses rsyslog so you can configure it to filter messages and write them to arbitary log files e.g create a file /etc/rsyslog.d/shorewall.conf

:msg, contains, "Shorewall:" /var/log/shorewall
& ~

Or if you want to split things out some more

:msg, contains, "Shorewall:cust2net:ACCEPT:" /var/log/shorewallc2na.log
& ~

:msg, contains, "Shorewall:" /var/log/shorewall
& ~

Which puts all messages containing "Shorewall:cust2net:ACCEPT:" into one log file and any other messages containing "Shorewall" into a different log file.

You need to restart rsyslogd for this to take effect.

user9517
  • 114,104
  • 20
  • 206
  • 289
0

I think you forgot to update the policy file:

#SOURCE     DEST    POLICY      LOG LEVEL   LIMIT:BURST
$FW         net  ACCEPT
net         all     DROP        $LOG
# The FOLLOWING POLICY MUST BE LAST
all         all     REJECT      $LOG
Kartoch
  • 233
  • 4
  • 14