Support
 
Support Get Quote
 
 
 
 
Firewall

Enabling logging and analyzing Linux firewall logs.

Feb 10, 2022 6 min read
 

The basic function of a firewall is to stop connections from suspicious networks/sources. It inspects the source address, destination address, and the port of all connections, and decides to allow or block the traffic. Every action taken by the firewall is recorded as a log data. It is essential to monitor and analyze these logs to protect your network from attacks. To do that, you need to enable logging first. Below are the procedures that allows you to enable logging in Linux firewalls.

Firewall log collection in Linux

When it comes to Linux systems, iptables, a command line interface is used to set up and maintain tables or rules for the NetFilter firewall for IPv4 that is included by default in the Linux kernel. When a connection is trying to establish itself on the system, iptables looks for a rule in its list to see if the connection should be allowed or denied. If there are no rules, it resorts to the default action.

iptables are pre-installed in most of the Linux systems. iptables uses three different chains—input, forward, and output—to control the traffic coming into the network, re-routed within the network, and going out of the network.

Your request for a demo has been submitted successfully
Our support technicians will get back to you at the earliest.

Hi,

I know the importance of monitoring firewall logs. Can you help me understand how to automate the process with a log management tool ?
I'm from     and you can contact me at
  .

By clicking 'Submit', you agree to processing of personal data according to the Privacy Policy.

Enabling logging on iptables is essential to monitor the inbound and outbound traffic.

Enabling logging in iptables

Use the following command to enable logging in iptables.

iptables -A INPUT -j LOG

To enable logging for specific IP or range, use the command below:

iptables -A INPUT -s 192.168.10.0/24 -j LOG

To define level of LOG generated by the iptables, use -log-level followed by the level number. Refer to the syntax of the command below:

iptables -A INPUT -s 192.168.10.0/24 -j LOG --log-level 4

If you're manually analyzing the logs, it's better to add a prefix in generated logs so that it's easier for you to search the huge number of log files. The command to perform this operation is given below. Alternatively, you can always choose a log management solution, such as EventLog Analyzer to collect, monitor, analyze, and get actionable insights into firewall logs.

iptables -A INPUT -s 192.168.10.0/24 -j LOG --log-prefix '** SUSPECT **'

Viewing iptables log

After enabling logging, you can always sift through the log files in these locations:

Ubuntu and Debian: tail -f /var/log/kern.log
CentOS, RHEL, and Fedora cat /var/log/messages

You may also like

     
 

Interested in a
log management
solution?

Try EventLog Analyzer
 
Database platforms

Understanding SQL Server Audit better

Read more
 
Previous articles
Next articles
Network devices

Critical Windows events: Event ID 6008 - Unexpected system shutdown

Read more
 

Manage logs, comply with IT regulations, and mitigate security threats.

Try it out free for 30 days Schedule a personalized demo

Seamlessly collect, monitor, and analyze
logs with EventLog Analyzer

Your request for a demo has been submitted successfully

Our support technicians will get back to you at the earliest.

  •  
  •  
By clicking 'Submit', you agree to processing of personal data according to the Privacy Policy.

LOGGING GUIDE

  Zoho Corporation Pvt. Ltd. All rights reserved.

Link copied, now you can start sharing
Copy