Hello,
In the current APF’s configuration all drops event are going in /var/log/messages logs files.
The /var/log/messages is also the logs files for Kernel events and others *.info events.
It might be very usefull to write all these logs events in differents files. This way it is much easier for an admin to search and find logs events.
This tuto will show you how to config the system to have differents logs files for APF drop events and Kernel events. We also show how to setup relative soft to read the good APF drop logs files (like BFD and AntiDos also from rfx).
This config only works with APF 0.9.6. (a tweak has been done for 0.9.5 version see H E R E
Please note that the current version of interworx’s APF is 0.9.5 and this tuto has not been tested with this version of APF (0.9.5).
If need you may upgrade APF to the 0.9.6 version. We have few interworx-cp boxes with this APF’s version without any pbm.
ONLY PERFORM THIS IF YOU UNDERSTAND WHAT YOU ARE DOING
1- Edit APF 0.9.6 config file
First backup the conf file
cp /etc/apf/conf.apf /etc/apf/.conf.apf.back
Edit conf.apf with your prefered editor (vim, nano, pico)
vi /etc/apf/conf.apf
Look for these lines (near the end of the file) and edit your apf.conf file to reflet this config.
# Log traffic marked for log-drop or that reaches
# the end of the firewall with no match. Disable
# this option to reduce most output logging
# [0 = Disabled / 1 = Enabled]
LOG_DROP="1"
# What log level should we send all log data too?
# refer to syslog.conf for levels
LOG_LEVEL="debug"
# Where should we send all the logging data?
# ULOG (Allow ulogd to handle the logging)
# LOG (Default; sends logging to kernel log)
LOG_TARGET="LOG"
# Log interactive access over telnet & ssh; uses
# custom log prefix of ** SSH ** & ** TELNET **
# [0 = Disabled / 1 = Enabled]
LOG_IA="1"
LOG_DROP=“1” : Enable to log in file all the drop events
LOG_LEVEL=“debug” : define the level of syslog to be used for all drop events
LOG_TARGET=“LOG” : The logs file is defined with syslog and kernel log
LOG_IA=“1” : We also log all SSH and TELNET drop events. Usefull for add-on tools like BFD
2- Configure the Syslog and kernel log
We are going to configure syslog to define the which log file will be used depending on the type and level of the events (see man syslog for more infomations).
First backup the conf file
cp /etc/syslog.conf /etc/.syslog.conf.back
Edit syslog.conf with your prefered editor (vim, nano, pico)
vi /etc/syslog.conf
here is our syslog.conf file. Yours might be different. The important things are bold and red. Add/replace all bold and red lines
# Log all kernel messages to the console.
# do not log the debug level events.
[B]
kern.*;kern.!=debug /dev/console
kern.*;kern.!=debug /var/log/kernel
[/B]
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
#save drop logs from apf
[B]kern.=debug /var/log/apf_drops[/B]
kern.*;kern.!=debug /dev/console default kernel events goes at console. All kernel.debug level are not take in account
kern.*;kern.!=debug /var/log/kernel All kernel events goes in /var/log/kernel files. All kernel.debug level are not take in account
kern.=debug /var/log/apf_drops All kernel events whom have a debug level will go in /var/log/apf_drops file. Remember in APF conf we said that all drops events will be treat as kernel.debug events. So basicly all kernel.debug events will be APF drops logs.
3- Adjust your logrotate conf
As we have defined new logs file we better define a rotation schem for these new files.
First backup the conf file
cp /etc/logrotate.d/syslog /etc/logrotate.d/.syslog.back
Edit the file /etc/logrotate.d/syslog
vi /etc/logrotate.d/syslog
you should have something like this. Add the apf_drops and kernel files. Both are in bold and red in this config file
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron [B]/var/log/kernel /var/log/apf_drops[/B] {
sharedscripts
postrotate
# /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
/usr/bin/killall -HUP syslogd
endscript
}
4- Restart all impacted softs
As we changed some conf files we have to restart some softs :
Syslog
service syslog restart
or
/etc/init.d/syslog restart
Apf
service apf restart
or
/etc/init.d/apf restart
5- TESTS
Now all APF drops events log like this one will go in your /var/log/apf_drops file
Sep 25 07:02:01 obiwan kernel: ** IN_TCP DROP ** IN=eth0 OUT= MAC=00:11:43:35:a9:a7:00:0c:db:6d:fe:40:08:00 SRC=168.95.5.160 DST=207.150.178.12 LEN=40 TOS=0x04 PREC=0x00 TTL=240 ID=29203 DF PROTO=TCP SPT=34655 DPT=113 WINDOW=8760 RES=0x00 RST URGP=0
And all kernel logs events should go in your new /var/log/kernel file. You should already see something like this
fjt8wn1lkjx: Kernel logging (proc) stopped.
fjt8wn1lkjx: Kernel log daemon terminating.
fjt8wn1lkjx: klogd 1.4.1, log source = /proc/kmsg started.
6- Configure others rfx related soft
Rf-x has also some others tools like Antidos (ad in apf dir) and BFD which normaly use the defaut kernel log file to parse and treat all APF drops events.
If you have these tools enabled, you’ll just have to edit the conf file to point to the good apf drops file.
For example :
With Antidos
First backup the conf file
cp /etc/apf/ad/conf.antidos /etc/apf/ad/.conf.antidos.back
edit the conf file to have this
vi /etc/apf/ad/conf.antidos
Replace with this
# Parse klog for iptables logged attacks [0=off,1=on]
LP_KLOG="1"
# Kernel log file
[B]KLOG="/var/log/apf_drops[/B]"
With BFD
First backup the conf file
cp /usr/local/bfd/conf.bfd /usr/local/bfd/.conf.bfd.back
edit the conf file to have this
vi /usr/local/bfd/conf.bfd
replace with this
# Do kernel logging
USE_KLOG="1"
#
# System kernel log
[B]KLOG="/var/log/apf_drops"
[/B]#
# System secure log
SLOG="/var/log/secure"
7- In case of problems
just restore all the backups files and restart all impacted services
Hope this might help some of you.