Firewall logging
Posted in General, Tips on September 28th, 2009 by Tom Howarth – Comments OffAs part of a hardening exercise on a deployment I am involved with, we had a need to enable firewall logging on the ESX servers.
This proved to be a lot tougher exercise than I expected, so Blog post here I come, Now I post on PlanetVM.Net for a number of reasons, firstly to have a central location for my blathering, secondly to help others with hints and tips, but mostly to store all those little titbits of information that took you ages to research which you will forget about 10 minutes after you completed the work. So without further ado blog post away.
The first part to enabling firewall logging is to use the -v option of esxcfg-firewall.
Note, That this option has to be used in conjunction with one of the other operations, therefore run the command “esxcfg-firewall -v -l“, this will re-load the existing configuration and at then enable logging. Also making any changes to the firewall config after this removes the logging options and the command will need to be reapplied.
Next you need to enable debug-logging in syslog which will allow you to view the messages. To do this, make a backup copy of /etc/syslog.conf,
cp /etc/syslog.conf /etc/syslog.conf.bak
Next open /etc/syslog.conf in your favourite text editor, I prefer vi so:
vi /etc/syslog.conf
locate the following line and press the “i” (lower case India key)
*.info;mail.none;authpriv.none;cron.none;local6.none;local5.none /var/log/messages
Change *.info to *.debug, so that the line reads as follows:
*.debug;mail.none;authpriv.none;cron.none;local6.none;local5.none /var/log/messages
Next press the “esc” to exit insert mode and then type :w to write out the file, finally :q to quit back to the command line.
Now, restart the syslog daemon by running:
“service syslog restart”.
All debug-level messages (including the iptables firewall messages) will now be recorded in /var/log/messages. Use “tail -f /var/log/messages” during debugging sessions to get a real-time view of what’s being blocked.
Warning: enabling this level of logging will cause the messages file to grow fairly rapidly. Keep an eye on the free space on the /var volume and disable debug-logging once you’ve finished debugging.
Point your syslog.conf file to a syslog server by adding the following to the top of the file:
*.* @your IP address here
Then you won’t have to worry about /var filling up.
As part of a hardening exercise on a deployment I am involved with we had a need to enable firewall logging on the ESX servers.
This proved to be a lot tougher exercise than I expected, so I Blog post here I come, Now I post on PlanetVM.Net for a number of reasons, firstly to have a central location for my blathering, secondly to help others with hints and tips, but mostly to store all those little titbits of information that took you ages to research which you will forget about 10 minutes after you completed the work. So without further ado blog post away.
The first part to enabling firewall logging is to use the -v option of esxcfg-firewall.
Note, That this option has to be used in conjunction with one of the other operations, therefore run the command “esxcfg-firewall -v -l”, this will re-load the existing configuration and at then enable logging. Also making any changes to the firewall config after this removes the logging options and the command will need to be reapplied.
Next you need to enable debug-logging in syslog which will allow you to view the messages. To do this, make a backup copy of /etc/syslog.conf,
cp .etc/syslog.conf /etc/syslog.conf.bak
Next open /etc/syslog.conf in your favourite text editor, I prefer vi so:
vi /etc/syslog.conf
locate the following line and press the “i” (lower case India key)
*.info;mail.none;authpriv.none;cron.none;local6.none;local5.none /var/log/messages
Change *.info to *.debug, so that the line reads as follows:
*.debug;mail.none;authpriv.none;cron.none;local6.none;local5.none /var/log/messages
Next press the “esc” to exit insert mode and then type :w to write out the file, finally :q to quit back to the command line.
Now, restart the syslog daemon by running:
“service syslog restart”.
All debug-level messages (including the iptables firewall messages) will now be recorded in /var/log/messages. Use “tail -f /var/log/messages” during debugging sessions to get a real-time view of what’s being blocked.
Warning: enabling this level of logging will cause the messages file to grow fairly rapidly. Keep an eye on the free space on the /var volume and disable debug-logging once you’ve finished debugging.
Point your syslog.conf file to a syslog server and then do your parsing from there. It should be easy to filter for what you are looking for and then you won’t have to worry about /var filling up.
