wiki:Logging

Logging

Basically, there are two types of logs that Vuurmuur produces: the traffic.log and the program logs.

Traffic.log

Vuurmuur reads the log messages produced by the kernel by default from /var/log/messages. It then converts the log messages to the Vuurmuur format, and writes them by default to /var/log/vuurmuur/traffic.log.

Because a ruleset with a lot of log rules can produce many log messages it may be wise to direct the logs to another logfile so that /var/log/messages remains usable. In this example we use '/var/log/firewall'.

To do this, first edit your /etc/syslog.conf and add the following line:

kern.=debug /var/log/firewall

Save the file and restart syslogd. (In some cases a restart of klogd is also required.)

Now run Vuurmuur_conf and go to the 'Vuurmuur Configuration' and then to 'Logging'. There change the 'Loglevel' to 'debug' and set the 'Systemlog filename' to '/var/log/firewall'.

Exit Vuurmuur_conf and restart Vuurmuur.

Note: Depending on your syslogd configuration, the log files may still get filled with vuurmuur messages, in which case you need to explicitly disable the logging of these messages in /etc/syslog.conf. For instance, if you want a "clean" /var/log/syslog, you should change the rule for it:

# *.*;auth,authpriv.none    /var/log/syslog
*.*;auth,authpriv.none;kern.!debug    /var/log/syslog

This rule will tell syslogd to ignore the kernel messages coming with the priority "debug" and all higher priorities (all of them in this case, so we could have used "kern.none" aswell).

If you have "rsyslog" you can create a conf file:

/etc/rsyslog.d/30-iptables.conf

:msg, contains, "vrmr: " -/var/log/firewall
& ~

This should clean debug and kernel logs

Program logs

The program logs are all produced by Vuurmuur itself. There a number of logfiles besides traffic.log, normally they can be found in /var/log/vuurmuur/:

  1. vuurmuur.log
  2. error.log
  3. debug.log
  4. audit.log

In vuurmuur.log startup and status messages are printed as well as configuration changes made in vuurmuur_conf. In case of errors in the program or the configuration, messages will be written to the error.log. Debug messages go into the debug.log, normally there should not be many (or even any), but when the -d option is enabled a lot of info will be printed to the log.

Audit logging

When you use Vuurmuur in a professional environment, especially where you administer the firewall with more than one administrator, you probably need to have a audit trail consisting of which changes where made by who. Vuurmuur however, doesn't (yet) support different users. You just have to be local root-user to administer it.

So how to handle this? Well, Vuurmuur is able to get the id of the real userid if a user executed vuurmuur_conf or vuurmuur_script using 'sudo' or 'su'. If a user johndoe runs vuurmuur_conf with 'sudo /usr/bin/vuurmuur_conf', the name that is logged by Vuurmuur is johndoe.

This way you can setup user accounts on the firewall for every administrator there is and add them to the /etc/sudoers file.

johndoe ALL=/usr/bin/vuurmuur_conf,/usr/bin/vuurmuur_script

When the user johndoe logs in into the firewall machine, either locally or through ssh, he can run vuurmuur_conf like this:

sudo vuurmuur_conf

He will have to re-enter his password (this can be disabled in /etc/sudoers).

All changes to the configuration as well as reloading Vuurmuur are logged in the audit.log file, which by default can be found in /var/log/vuurmuur/audit.log. Here you find with every change made, the username of the administrator who made the change.

A few examples:

10/09/2005 19:21:38 : PID 7900 : vuurmuur_conf : johndoe : service 'X-4' was created.
10/09/2005 19:24:13 : PID 7900 : vuurmuur_conf : johndoe : service 'X-4' has been changed: portrange 'TCP: 1024:65535 -> 6005' was added.
10/10/2005 13:58:42 : PID 23087 : vuurmuur : root : IPC-SHM: backend changed: reload (user: johndoe).
Last modified 2 years ago Last modified on 07/07/16 02:23:02