Differences

This shows you the differences between two versions of the page.

--- wiki:shorewall_custom_logging [2021/01/11 13:15] – created antisa
+++ wiki:shorewall_custom_logging [2025/10/10 13:51] (current) – update rules example antisa
@@ Line 1: / Line 1: @@
-{{tag>firewall logging network}}
+{{tag>firewall logging network shorewall}}
 ====== Shorewall custom logging ======
 ===== Custom log file =====
+First make sure you have logging set. Example in ///etc/shorewall/policy//
+<code>
+#SOURCE DEST  POLICY    LOG LIMIT:    CONNLIMIT:
+#       LEVEL BURST   MASK
+# fw-to-all
+$FW all ACCEPT - -
+# net-to-all
+net all DROP info -
+# all-to-all
+all all DROP info -
+#LAST LINE -- DO NOT REMOVE
+</code>
+Example from ///etc/shorewall/rules//
+<code>
+#############################################################################################################
+#ACTION SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK
+#                                               PORT    PORT(S)         DEST            LIMIT           GROUP
+#
+LOG:info all all
+...<rest of rules>...
+</code>
 To log events created by Shorewall in a custom file called “firewall.log” in /var/log directory first edit the /etc/shorewall/shorewall.conf file. Edit this line:
@@ Line 8: / Line 31: @@
   LOGFILE=/var/log/firewall.log
+You should also change LOGFORMAT to something like
+  LOGFORMAT="shorewall log: %s %s"
 Actual logging is managed by rsyslog daemon. Create a new file called “firewall.conf” in /etc/rsyslog.d/ and add this:
 ==== Debian 7 & 8 ====
@@ Line 22: / Line 48: @@
 Now restart rsyslog service and shorewall
+==== Different approach ====
 ===== Set up firewall.log rotation =====
@@ Line 38: / Line 68: @@
 Don't forget to check if startup is enabled in /etc/default/shorewall[6]
+====== Tested on ======
+  * Debian 9,10
+====== See also ======
+  * [[wiki:Prevent programm from logging to daemon.log]]