I've read the instructions on how to turn on firewall logging, along with the warning that it can produce very large files.
Is it possible to enable logging for a specific VLAN only? If so, what's the syntax to turn this on?
Thanks!
Is it possible to enable logging for a specific VLAN only? If so, what's the syntax to turn this on?
Thanks!
Share this post:
Responses (2)
-
Accepted Answer
All you need to do is add a source subnet to any logging rule you've seen. Something like:
I would only log new packets as logging everything is pretty pointless to me unless you want to try and quantify the amount of traffic. There seems to be little point in logging the return packets as well.$IPTABLES -I FORWARD -m conntrack --ctstate NEW -s your_lan_subnet -j LOG
You can optionally add a log message which you can then trap with an rsyslog filter. Check the "man iptables" pages.
If I ever do logging, I split the log messages out from the messages log with an rsyslogd filter, /etc/rsyslog.d/firewall.conf:
This is a bit of a kludge. If you log with a message you could filter on that instead.# Split out Firewall messages
if $programname == 'kernel' and $msg contains 'IN=' and $msg contains 'OUT=' then -/var/log/firewall
& stop
Then I add a logrotate function to make the logs rotate, /etc/logrotate.d/firewall:# rotate the firewall log
/var/log/firewall {
notifempty
missingok
copytruncate
create 0664 root root
rotate 4
}
-
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »