{{tag>firewall logging network shorewall}}

====== Shorewall custom logging ======
===== Custom log file =====

First make sure you have logging set. Example in ///etc/shorewall/policy//
<code>
#SOURCE DEST  POLICY    LOG LIMIT:    CONNLIMIT:
#       LEVEL BURST   MASK
# fw-to-all
$FW all ACCEPT - -
# net-to-all
net all DROP info -
# all-to-all
all all DROP info -
#LAST LINE -- DO NOT REMOVE
</code>

Example from ///etc/shorewall/rules//
<code>
#############################################################################################################
#ACTION SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK
#                                               PORT    PORT(S)         DEST            LIMIT           GROUP
#
LOG:info all all
...<rest of rules>...
</code>

To log events created by Shorewall in a custom file called “firewall.log” in /var/log directory first edit the /etc/shorewall/shorewall.conf file. Edit this line:

  LOGFILE=/var/log/firewall.log

You should also change LOGFORMAT to something like
  LOGFORMAT="shorewall log: %s %s"
  
Actual logging is managed by rsyslog daemon. Create a new file called “firewall.conf” in /etc/rsyslog.d/ and add this:
==== Debian 7 & 8 ====

  :msg, contains, "Shorewall:" -/var/log/firewall.log
  & ~

==== Debian 9 ====

From new version of rsyslog (8.4.2, on Debian 9) use "stop" instead of tilda:

  :msg, contains, "Shorewall:" -/var/log/firewall.log
  & stop

Now restart rsyslog service and shorewall

==== Different approach ====


===== Set up firewall.log rotation =====

Create the file /etc/logrotate.d/firewall and put this in it:

<code>
/var/log/firewall.log {
        rotate 4
        weekly
        missingok
        notifempty
        delaycompress
        compress
}
</code>
Don't forget to check if startup is enabled in /etc/default/shorewall[6] 

====== Tested on ======
  * Debian 9,10

====== See also ======
  * [[wiki:Prevent programm from logging to daemon.log]]