Support built-in Firewall messages

[B00ze64]

Good day cmkelley.

I'd like to use this, but it's missing a filter entry for the thing that generates the most logs for me: The build-in Firewall. I do not use Skynet, but I do log FW events, and they are going to system log. Could you add a filter to send those to their own logfile? Both Dropped and Accepted packets.

Apr  5 22:22:20 kernel: DROP IN=br0 OUT=eth0 SRC=192.168.1.154 DST=198.60.22.240 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=39257 DPT=123 LEN=56 
Apr  5 22:23:33 kernel: ACCEPT IN=br0 OUT=eth0 SRC=192.168.1.100 DST=23.111.74.216 LEN=540 TOS=0x00 PREC=0x00 TTL=127 ID=20146 PROTO=UDP SPT=58454 DPT=443 LEN=520

Thank you.

[cynicastic]

I use skynet, not the built-in firewall, but you can try the following (cut and paste into an editor when ssh'd into the router):

# this filter is NOT compatible with the Skynet filter!
destination d_firewall { 
    file("/opt/var/log/fireall.log");
};

# log messages from firewall
filter f_firewall {
    message("ACCEPT IN=") or
    message("DROP IN=");
};

# final flag stops processing of messages matching the f_firewall filter
# only look to kernel for messages
log {
    source(kernel);
    filter(f_firewall);
    destination(d_firewall);
    flags(final);
};

#eof

[cynicastic]

If that works, let me know and I'll add it to the share directory.

[cynicastic]

Duh, oh yeah, that text above should go into /opt/etc/syslog-ng.d/firewall

To rotate those logs weekly, copy the below into /opt/etc/logrotate.d/firewall

/opt/var/log/firewall {
    postrotate
        /usr/bin/killall -HUP syslog-ng
    endscript
}

[B00ze64]

Gimme some days (it's the weekend, and I have to troubleshoot some strange WiFi issue I was having yesterday) and I'll let you know. I kinda knew I could just look at your syslog configs and add one for the built-in FW. What I was thinking about was for Scribe to automatically enable filtering the normal firewall events when Skynet is not found. Thanks.

[cynicastic]

Ya, no worries. I already found typos in the above. :( I get ahead of myself too easily. Once more:

/opt/etc/syslog-ng.d/firewall

# this filter is NOT compatible with the Skynet filter!
destination d_firewall { 
    file("/opt/var/log/firewall.log");
};

# log messages from firewall
filter f_firewall {
    message("ACCEPT IN=") or
    message("DROP IN=");
};

# final flag stops processing of messages matching the f_firewall filter
# only look to kernel for messages
log {
    source(kernel);
    filter(f_firewall);
    destination(d_firewall);
    flags(final);
};

#eof

/opt/etc/logrotate.d/firewall

/opt/var/log/firewall.log {
    postrotate
        /usr/bin/killall -HUP syslog-ng
    endscript
}

If you wanted to set a minimum size for the firewall log before rotating you can follow the example from /opt/etc/logrotate.d/messages and set minsize to some amount. If it fills up quickly you can add the daily directive (see the messages file for this as well). I don't know what good defaults would be here.

One other really important thing, all the files in /opt/etc/syslog-ng.d and /opt/etc/logrotate.d cannot be writable by anyone other than your root user, so chmod 644 or 600 - I've added chmod 600 to scribe when it installs them since GitHub + zip loses the permissions.

[B00ze64]

Good day.

Started playing with this, made a RegExp filter for dnsmasq-dhcp, which works nicely (have not tried LogRotate on it yet.) For the firewall however, it refuses KERNEL as the source, not quite sure why: Error resolving reference; content='source', name='kernel', location='/opt/etc/syslog-ng.d/firewall:15:5'

Also getting this when I syslog-ng -Fevd, not sure why yet: [2019-04-17T02:52:15.119783] Follow mode file still does not exist; filename='/var/lib/logrotate.status' [2019-04-17T02:52:15.119891] Follow mode file still does not exist; filename='/opt/tmp/logrotate.daily'

Regards,

[B00ze64]

This seems to work:

filter f_firewall {
# only look to kernel for messages
    facility(0) and
    (  message("ACCEPT IN=") or
       message("DROP IN=")
    );
};

log {
    source(src);
    filter(f_firewall);
    destination(d_firewall);
    flags(final);
};

The log grows FAST, I'll let it run a day and see what values we need for logrotate. I usually only log accepted packets, but having a size for both will be good. I'd look into Skynet but with a VPN running on the clients, it's mostly useless Ah! Skynet does inbound, for some reason I was thinking only of outbound filtering... Still getting those Follow Mode errors on syslog-ng -Fevd, I might have to create an account on the forums so I can ask there...

[B00ze64]

Alright, those 2 files /var/lib/logrotate.status and /opt/tmp/logrotate.daily got created overnight, no more errors. So I generate about 20MB of firewall logs a day when not torrenting and logging both blocked and accepted packets (the TVLive likes to try to sync time with a dozen time servers non-stop so it fills the log quickly because I block it.) So I settled for this:

/opt/var/log/firewall.log {
    daily
    rotate 9
    minsize 8192k
    postrotate
        /usr/bin/killall -HUP syslog-ng
    endscript
}

Since Firewall is security I used 9 rotates... Scribe works great, thanks a lot for this! Now I gotta go investigate Skynet ;-)

[B00ze64]

PS: No LogRotate for /opt/var/log/wlceventd.log ?

[cynicastic]

Heh, sorry it took so long to respond, work has been crazy ... Tuesday was 17 hours including two 2-hour flights. Ugh.

It refuses kernel as a source because I decided to remove kernel and go to the newer (src) source. I fixed the files on GitHub but I honestly forgot to drop you a note here, sorry. I see you figured it out though. :-)

Yeah, I think I'm going to have logrotate run once after installing instead of waiting for the overnight run to be first for just that reason.

I'm glad you're getting good usage out of scribe. I'll try not to break anything going forward, but we (the SNB group) keep finding new and inventive ways to break syslog-ng and/or scribe.

On my machine wlceventd.log is growing VERY slowly. I just never got around to it. I'll add one soon.

[cynicastic]

Was looking this over to ensure I didn't forget to respond ... life has been crazy that way :-)

Just an FYI, if you use Jack Yaz's uiScribe (https://www.snbforums.com/threads/uiscribe-custom-system-log-page-for-scribed-logs.57040/), note that an 8 meg minsize is likely to make the system log page in the webui very, very slow (possibly unusable). I recommend 1 meg as a starting point, but I'm pretty sure you can get away with 2 meg or possibly somewhat higher, it probably depends on router model.

[B00ze64]

Yeah, I'm using 2mb - you still have 8mb in your config. I think we can close this now :-)