wiki:shorewall_custom_logging
This is an old revision of the document!
Table of Contents
Shorewall custom logging
Custom log file
First make sure you have logging set. Example in /etc/shorewall/policy
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK # fw-to-all $FW all ACCEPT - - # net-to-all net all DROP info - # all-to-all all all DROP info - #LAST LINE -- DO NOT REMOVE
Example from /etc/shorewall/rules
############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP # LOG:info all all
To log events created by Shorewall in a custom file called “firewall.log” in /var/log directory first edit the /etc/shorewall/shorewall.conf file. Edit this line:
LOGFILE=/var/log/firewall.log
You should also change LOGFORMAT to something like
LOGFORMAT="shorewall log: %s %s"
Actual logging is managed by rsyslog daemon. Create a new file called “firewall.conf” in /etc/rsyslog.d/ and add this:
Debian 7 & 8
:msg, contains, "Shorewall:" -/var/log/firewall.log & ~
Debian 9
From new version of rsyslog (8.4.2, on Debian 9) use “stop” instead of tilda:
:msg, contains, "Shorewall:" -/var/log/firewall.log & stop
Now restart rsyslog service and shorewall
Different approach
Set up firewall.log rotation
Create the file /etc/logrotate.d/firewall and put this in it:
/var/log/firewall.log {
rotate 4
weekly
missingok
notifempty
delaycompress
compress
}
Don't forget to check if startup is enabled in /etc/default/shorewall[6]
Tested on
- Debian 9,10
See also
wiki/shorewall_custom_logging.1760104264.txt.gz · Last modified: by antisa