Howto: Log firewall from OpenWrt to a remote rsyslog

By tom on 26. November 2008 - 0:51

At Planethome I'm currently setting up a central logserver, using rsyslog. So to get familiar with it, I installed it on my Gentoo box at home, set it as default syslog daemon, and feed it with data from my router running OpenWrt Kamikaze 8.09 RC1.

On the server (Gentoo) side, I enabled remote logging over UDP. On the client (OpenWrt) side a little bit more had to be done

1) Enable remote logging

Edit /etc/config/system and enable remote logging by adding:

option 'log_ip' '192.168.1.2'

Now reboot the router and see if it logs correctly.

2) -j LOG ++

Then I had to get IPtables to produce some log output. With Kamikaze's new firewall config layout this was a bit tricky. I decided to just log SYN flood protection actions, and the dropping of INVALID packets on INPUT and FORWARD chains. Therefore we need to edit /lib/firewall/uci_firewall.sh and add 3 lines (those with -j LOG)

In function fw_defaults()

$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID (INPUT): "
$IPTABLES -A INPUT -m state --state INVALID -j DROP
...
$IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID (FORWARD): "
$IPTABLES -A FORWARD -m state --state INVALID -j DROP

and for the SYN flood stuff, in function load_synflood()

$IPTABLES -A syn_flood -j LOG --log-prefix "SYN FLOOD: "
$IPTABLES -A syn_flood -j DROP

Tags:

Linux

Networking

Howto

You are here

Howto: Log firewall from OpenWrt to a remote rsyslog