1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

(Shibby Mod) Log Firewall events to a different logfile (not messages)?

Discussion in 'Tomato Firmware' started by darkknight93, May 4, 2013.

  1. darkknight93

    darkknight93 Networkin' Nut Member

    Good afternoon all :)

    sorry for flooding this Forum with Posts! I'm just getting curious on my Asus/Cisco Routers and want to improve my skills in Monitoring/Linux.

    Is it possible to set a different log file for "user.warn kernel: DROP " Messages so the build in Firewall?

    I'm using at the Moment shibby's mod and only found the Settings for en- and disable Firewall logging.

    Thanks in advance! I really appreciate the work on all tomato-based Projects/mods/stuff like that!


    EDIT: Or is it possible to create a Kind of symlinks/script to just take out everything according to Firewall drop/reject logs summarized in another file?

    Background: I have many custom scripts - logging their Action to Messages... so I often oversee this Messages due too much Firewall incidents...
     
  2. jerrm

    jerrm Network Guru Member

    Syslog-ng from entware/optware, or cgi and/or command line scripts to only show what you want.
     
    darkknight93 and philess like this.
  3. darkknight93

    darkknight93 Networkin' Nut Member

    does syslog-ng replace the existing syslog? Or how to... deal with that? :)
     
  4. philess

    philess Networkin' Nut Member

    Syslog-ng looks interesting, but maybe not very easy to set up for simple stuff.
    But i will try to, i want seperate logfiles for different events.
    I think it should be possible to feed the full Tomato syslog to syslog-ng and
    from there output to seperate files.

    @darkknight93 nope, doesnt replace. You can safely install it and use
    it additionally. Take a look here http://www.campin.net/syslog-ng.conf
     
  5. RMerlin

    RMerlin Network Guru Member

    One thing you could look at is ulogd. I don't know if it's available in Optware/Entware however, and will require some modification to the router's logging rules to use a different target.
     
  6. jerrm

    jerrm Network Guru Member

    If you want to maintain the GUI log viewing functionality, there isn't perfect way to handle it.

    If tomato logging is disabled or set to remote only, then the log view page is disabled.

    If tomato logging is set to a file other than /var/log/messages, it creates a link at /var/log/messages to the "real" file, and /var/log/messages can get trampled if the logging service is restarted from some gui action.

    We found the easiest was to leave everything enabled in the GUI, then "killall syslogd" in the script that starts syslog-ng. Any GUI action causing a logging restart can still cause issues when syslogd restarts. We work around it by having tomato set up to log "remotely" to localhost, then have syslog-ng call a script to kill syslogd when it sees a network packet from localhost.

    The following syslog-ng.conf file will do what you want, the iptables match may need some tweaking:
    Code:
    options {
    #      use_fqdn(yes);
    #      use_dns(yes);
    #      dns_cache(yes);
            keep_hostname(yes);
            long_hostnames(off);
            sync(1);
            log_fifo_size(1024);
    };
     
    source src {
            pipe("/proc/kmsg");
            unix-stream("/dev/log");
            internal();
            udp();
    };
     
    destination killsyslogd { program("/opt/bin/killsyslogd.sh"); };
     
    destination messages { file("/var/log/messages"
                    template("$DATE $HOST $FACILITY.$LEVEL $MSG\n")
                    template_escape(no));    };
    destination iptables { file("/var/log/iptables"
                    template("$DATE $HOST $FACILITY.$LEVEL $MSG\n")
                    template_escape(no));    };
    destination daily { file("/var/log/daily/messages.$YEAR.$MONTH.$DAY"
                    owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)
                    template("$DATE $HOST $FACILITY.$LEVEL $MSG\n")
                    template_escape(no));    };
     
    filter f_localhost { host("localhost"); };
    filter f_iptables { match(" IN=.* OUT=.*SRC=.*DST=" ); };
    filter f_noiptables { not filter(f_iptables); };
     
    #log everything to daily log file
    log {  source(src);
            destination(daily); };
     
    #exclude iptables from messages
    log {  source(src);
            filter(f_noiptables);
            destination(messages); };
     
    #log iptables only
    log {  source(src);
            filter(f_iptables);
            destination(iptables); };
     
    #kill syslogd if we see network packet from localhost
    log {  source(src);
            filter(f_localhost);
            destination(killsyslogd); };
    
    The template lines above are optional, they are only there so the output matches the busybox syslog.

    Then use a start-syslog-ng.sh something like:
    Code:
    #!/bin/sh
    killall syslogd
    killall syslog-ng
    syslog-ng
    

    And finally a killsyslogd.sh for syslog-ng to use:
    Code:
    #!/bin/sh
    while read line
    do
      echo "$line" >> /var/log/kill.log
      killall syslogd
    done
    


    EDIT: Also syslog-ng does not do any log rotation. You will need logrotate or similar.
     
    Monk E. Boy, darkknight93 and philess like this.
  7. darkknight93

    darkknight93 Networkin' Nut Member

    I figured out which iptables commands enable logging for Incoming traffic:

    Code:
    #iptables Logging
    iptables -N logdrop
    iptables -A logdrop -m state --state NEW -m limit --limit 60/m -j LOG --log-prefix "DROP " --log-macdecode --log-tcp-sequence --log-tcp-options
    iptables -A logdrop -j DROP
    iptables -N logreject
    iptables -A logreject -m limit --limit 60/m -j LOG --log-prefix "REJECT " --log-macdecode --log-tcp-sequence --log-tcp-options
    iptables -A logreject -p tcp -j REJECT --reject-with tcp-reset
    iptables -A INPUT -j logdrop
    
    just fyi. Same as the Option (Logging enabled for Inbound blocked traffic)
     
  8. darkknight93

    darkknight93 Networkin' Nut Member

    Seriously this is soooo amazing! Many many thanks to you jerrm! :)

    I have following Setup now:

    Code:
    options {
    #      use_fqdn(yes);
    #      use_dns(yes);
    #      dns_cache(yes);
            keep_hostname(yes);
            long_hostnames(off);
            sync(1);
            log_fifo_size(1024);
    };
     
    source src {
            pipe("/proc/kmsg");
            unix-stream("/dev/log");
            internal();
            udp();
    };
     
    destination killsyslogd { program("/mnt/DATA/scripts/syslog-ng/killsyslogd.sh"); };
     
    destination messages { file("/var/log/system"
                    template("$DATE $HOST $FACILITY.$LEVEL $MSG\n")
                    template_escape(no));    };
    destination iptableswan { file("/var/log/messages"
                    template("$DATE $HOST $FACILITY.$LEVEL $MSG\n")
                    template_escape(no));    };
    destination iptablesdmz { file("/var/log/dmz"
                    template("$DATE $HOST $FACILITY.$LEVEL $MSG\n")
                    template_escape(no));    };
    destination daily { file("/var/log/archive/syslog.$YEAR.$MONTH.$DAY"
                    owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)
                    template("$DATE $HOST $FACILITY.$LEVEL $MSG\n")
                    template_escape(no));    };
     
    filter f_localhost { host("localhost"); };
    filter f_iptableswan { match(" IN=vlan2 OUT=.*SRC=.*DST=" ); };
    filter f_iptablesdmz { match(" IN=br1 OUT=.*SRC=.*DST=" ); };
    filter f_noiptables { not filter(f_iptableswan) and not filter(f_iptablesdmz); };
     
    #log everything to daily log file
    log {  source(src);
            destination(daily); };
     
    #exclude iptables from messages
    log {  source(src);
            filter(f_noiptables);
            destination(messages); };
     
    #log iptableswan only
    log {  source(src);
            filter(f_iptableswan);
            destination(iptableswan); };
      
    #log iptablesdmz only
    log {  source(src);
            filter(f_iptablesdmz);
            destination(iptablesdmz); };
     
    #kill syslogd if we see network packet from localhost
    log {  source(src);
            filter(f_localhost);
            destination(killsyslogd); };
    
    to log dmz issues seperately... i use the Linksys Log Viewer so i keep the iptables issues from wan to messages... System stuff goes to System. not the best way but somehow comfort for me and enabling the Feature of "fast checks" whats going on


    Again: you deserve a biiiig thanks! :))
     
    Monk E. Boy likes this.

Share This Page