Syslog questions

etnicor · October 31, 2023, 7:20pm

Trying to understand log format of syslog.
Anyone have any pointer where I can find docs on format.(my google skills isn’t good enough here)

Is it the letter in the end of the chain which says if package has been dropped or accepted?
example a dropped package:
Oct 31 20:00:43 vyos kernel: [ 2633.695358] [INPUT_DROP-default-D]…
example accepted package.
Oct 31 20:00:08 vyos kernel: [ 2598.778684] [VyOS_MANAGEMENT-21-A]…

I want to send only firewall logs to a remote host. Is it enough to only export facility 0?(kernel messages)

marc_s · November 1, 2023, 7:32am

Every firewall log line is prepended with a prefix. The contents of this prefix are the firewall “name”, the rule number (either an actual number or default for the default rule), and a letter telling you the action taken.

For example, I run a zone-based firewall. I have these rules in MANAGEMENT_TO_INTERNET (for traffic destined to internet originated in the management network):

08:21 vyos@gw 1.4-rolling-202304120317 /home/vyos
✎ edit » show | commands | match 'MANAGEMENT_TO_INTERNET'
set firewall zone INTERNET from MANAGEMENT firewall name 'MANAGEMENT_TO_INTERNET'
set firewall name MANAGEMENT_TO_INTERNET default-action 'accept'
<...snip...>
set firewall name MANAGEMENT_TO_INTERNET rule 25 action 'drop'
set firewall name MANAGEMENT_TO_INTERNET rule 25 destination address '1.2.3.4'
set firewall name MANAGEMENT_TO_INTERNET rule 25 log 'enable'
set firewall name MANAGEMENT_TO_INTERNET rule 25 protocol 'icmp'

Rule 25 is there to demonstrate the logging to you. You need to have log enable to get a log of course. If I try to ping 1.2.3.4, you can see the following in the logs:

08:21 vyos@gw 1.4-rolling-202304120317 /home/vyos
» sudo dmesg -T | grep '1.2.3.4'
[Wed Nov  1 08:21:48 2023] [MANAGEMENT_TO_INTER-25-D]IN=bond0.1 OUT=pppoe0 MAC=f4:90:ea:00:ac:c0:00:0c:29:30:8b:0e:08:00 SRC=x.x.x.x DST=1.2.3.4 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=20430 DF PROTO=ICMP TYPE=8 CODE=0 ID=1000 SEQ=4 MARK=0xca

Note the [MANAGEMENT_TO_INTER-25-D] prefix: it contains the firewall name, the rule number, and D for “dropped”.

If I change the action to reject instead of drop, I will get this in my logs:

[Wed Nov  1 08:31:00 2023] [MANAGEMENT_TO_INTER-25-R]IN=bond0.1 OUT=pppoe0 MAC=f4:90:ea:00:ac:c0:00:0c:29:30:8b:0e:08:00 SRC=x.x.x.x DST=1.2.3.4 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=9654 DF PROTO=ICMP TYPE=8 CODE=0 ID=1000 SEQ=2 MARK=0xca

Note the R.

With regard to the remote logging: exporting facility 0 should be enough.

etnicor · November 1, 2023, 8:54am

Thanks,
was as I “guessed” then

system · December 1, 2023, 8:54am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.