Syslog used to handle NetFilter logging and you had to write regexp rules to sort your firewall logs, like:
:msg,contains,"[ABF_Blocked" /var/log/abf-blocked.log"<br>
There is a new daemon in town called ulogd2, the webpage says: “ulogd is a userspace logging daemon for netfilter/iptables related logging. This includes per-packet logging of security violations, per-packet logging for accounting, per-flow logging and flexible user-defined accounting.”
Ok, lets go..
Start of by installing the necessary packages
# apt install ulogd2 ulogd2-jsonSince the log file tend to grow quite large we create a named pipe, you could also rotate the logs if you want to parse them later but for now we will focus on realtime interception.
# mkfifo /afw/ulog/ulogd.json.pipe
# chown ulog:adm /afw/ulog/ulogd.json.pipeConfigure ulogd
# vim /etc/ulogd.confplugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_JSON.so" stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,json1:JSON [log2] group=1 # Group has to be different from the one use in log1 [json1] sync=1 file="/afw/ulog/ulogd.json.pipe" device="AFW"