Syslog used to handle NetFilter logging and you had to write regexp rules to sort your firewall logs, like:

:msg,contains,"[ABF_Blocked" /var/log/abf-blocked.log"

There is a new daemon in town called ulogd2, the webpage says: “ulogd is a userspace logging daemon for netfilter/iptables related logging. This includes per-packet logging of security violations, per-packet logging for accounting, per-flow logging and flexible user-defined accounting.”

Ok, lets go..

Start of by installing the necessary packages
# apt install ulogd2 ulogd2-json

Since the log file tend to grow quite large we create a named pipe, you could also rotate the logs if you want to parse them later but for now we will focus on realtime interception.

# mkfifo /afw/ulog/ulogd.json.pipe
# chown ulog:adm /afw/ulog/ulogd.json.pipe

Configure ulogd

# vim /etc/ulogd.conf
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_JSON.so"
stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,json1:JSON

[log2]
group=1 # Group has to be different from the one use in log1

[json1]
sync=1 file="/afw/ulog/ulogd.json.pipe" device="AFW"

Published by Nimpen J. Nordström

System Developer and Network Security Enthusiast

Leave a comment

Your email address will not be published. Required fields are marked *