Hello,
If I look at the firewall log entries, I only see the following:
input: in:Eth1 WAN out:(unknown 0), src-mac 34:da:b7:c3:6d:1f, proto TCP (ACK,FIN), 142.250.1.1:443->10.0.1.1:37206, len 52
But I’m missing the information, if this event was accepted or blocked or rejected (the ACTION).
Is there somewere a setting, where I can add this ACTION to the log?
BR
Tom
You need to add it yourself.
Each of the rules has the option to
A) Enable/Disable logging on a per-rule basis
B) Put “Log Prefix” field
So on the log-prefix field you need to put a string yourself telling something about the log-rule.
I try to follow this sort of naming convention
(protocol IP4/IP6)-(chain IN/FWD/OUT)-(ruleinfo)-(action DROP)
eg.
IP4-IN-DEFAULT-DROP
For NAT stuff, IF I want to log it, it can be something like
IP4-DNAT-TCP-PLEX for example
Yes, the Prefix would be possible, but should this not be part auf the default Logging Template, where you have the protocol, the source + destination?
Because if I want a logging, I need to add this to every rule and every device, this would be a lot of work to change.
You don’t want to log everything, you just want to log things while debugging certain rules.
If I activate logging for a rule, I would like to see the ACTION at the log, without adding prefixes. Otherwise I don’t know, if the packet is dropped, rejected or accepted.
If you only enable logging for sigle rule, you know the action from rule definition. If you enable logging of multiple rules, then add appropriate log prefixes. If you’re going into troubleshooting, then adding logging prefixes is the least problem you have at that point.
BTW, packets not triggering any of firewall rules will get accepted and won’t be logged. Likewise the fast-tracked packets. How about that? Logging of fast-tracked packets would require to effectively disable fasttrack.
Your logging rule decides if it is DROPPED/REJECTED/ACCEPTED within a certain chain and you have to LOG-PREFIX that to make it clear in your logging otherwise there is no extra info.
So yes, setting the prefix is an additional action you need to perform in your daily management of rules to make logging more interesting.
There is no other option that I’m aware of.
I have dozens of different prefixes, I can’t say it has been a real burden to foresee one if I want to make something visible in the logs.
If traffic is being directed as required, I see very little need of logging.
Mostly for troubleshooting and this plus sniff tool usually gets me to where I need to go.
Sometimes logging is used just prior to a rule (no action but only logging) to see what traffic is hitting a rule for whatever reason.
Servers and the like should have internal logs if you need more granularity for some reason.
You are right, normally I’m only logging the drops/rejects, but I in some cases I’m interested in the acceppts, for example who is trying to connect to the VPN to run reports based on this data.
More log, not only firewall, are involved on VPN…