How to log nat translation?


If I have a VyOS router with source nat, how can I log translation between “private” and “public” world to syslog-server?
Cisco commands like: ip nat log translations syslog


in each NAT rule you can add a statement “log enabled”

This will logs the translations made by this rule to the VyOs logs
(in practice /var/log/messages)

then you configure the syslog part of VyOs.


I (ISP) need something like this:

Where a.a.a.a - SrcIP, b.b.b.b - DstIP, c.c.c.c - NAT-IP from NAT pool, d.d.d.d - DST-NAT-IP

I found this, but it is “not serious”:

[quote]Vyatta monitor and log NAT translation
Posted on August 26, 2014
Logging to record NAT translations. This might be helpful for finding users using bit torrent (along with tshark), or for watching what IPs are connecting to what external services, and when.

a.a.a.a:21845 z.z.z.z:443 b.b.b.b:21845 z.z.z.z:443 tcp: snat: a.a.a.a ==> b.b.b.b timeout: 42 use: 1


In this case you may rather use logging at the firewall level

  • create a firewall rule that accepting everything with log enable
  • apply the firewall on outbound interface for outgoing traffic