Howto: Log firewall from OpenWrt to a remote rsyslog

This is how I got remote logging from my OpenWrt router to the syslog daemon on the server box.

On the server side, I enabled remote logging over UDP (refer to the rsyslog or syslog-ng documentation).

On the OpenWRT box following steps are needed

Enable remote syslog logging

Edit /etc/config/system and enable remote logging by adding:

option 'log_ip' '192.168.1.2'

Now reboot the router and see if it logs correctly.

Enable firewall logging (-j LOG)

Update (2013): In recent Openwrt builds this is as simple as editing /etc/config/firewall and adding a line to each zone that you want to get logged

config 'zone'
        option 'name' 'wan'
        ...
        option 'log' '1'

That's all.

 

The info below is valid only for old OpenWRT builds Kamikaze 8.09 and older!

Then I had to get IPtables to produce some log output. With Kamikaze's new firewall config layout this was a bit tricky. I decided to just log SYN flood protection actions, and the dropping of INVALID packets on INPUT and FORWARD chains. Therefore we need to edit /lib/firewall/uci_firewall.sh and add 3 lines (those with -j LOG)

In function fw_defaults()

$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID (INPUT): "
$IPTABLES -A INPUT -m state --state INVALID -j DROP
...
$IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID (FORWARD): "
$IPTABLES -A FORWARD -m state --state INVALID -j DROP

and for the SYN flood stuff, in function load_synflood()

$IPTABLES -A syn_flood -j LOG --log-prefix "SYN FLOOD: "
$IPTABLES -A syn_flood -j DROP

 

Category: