Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
12 avril 2014 6 12 /04 /avril /2014 10:52

How to setup NFtables to do external syslog logging.

 

The hability to do firewall logging is great, but a network admin needs to remote/consolidate its logs to an external syslog server. For this we'll be using Rsyslog, and the Ulogd2 spooler.


The OS used here is Ubuntu GNOME 14.04 (Trusty Tahr)  ( for nftables needs OS kernel 3.13 ).
Here is the network topology used :

 

NF8b

 
We'll be using the nflog:2 group for logging.

 

 

1. ULOGD2 and dependencies

Ulogd2 needs these dependencies : libnfnetlink, libnetfilter_log, libnetfilter_conntrack

we first need all the nftables / git / makefile dependencies :

sudo -s
apt-get update

apt-get install libmnl0                already installed
apt-get install libmnl-dev

apt-get install git
apt-get install autoconf
apt-get install libtool
apt-get install pkg-config
apt-get install flex
apt-get install bison
apt-get install libgmp3-dev
apt-get install libreadline6-dev
apt-get install autogen

( apt-get install docbook2x docbook-utils )

we install ulogd2 dependencies :

git clone git://git.netfilter.org/libnfnetlink
cd libnfnetlink
sh autogen.sh
./configure
make
make install

cd ..

git clone git://git.netfilter.org/libnetfilter_log
cd libnfnetfilter_log
sh autogen.sh                                                           ( works ok, but ' unexpected operator ' message during autogen !? )
./configure
make
make install

cd ..

git clone git://git.netfilter.org/libnetfilter_conntrack
cd libnetfilter_conntrack
sh autogen.sh
./configure
make
make install
cd ..

we finally install syslogd2 :

sudo apt-get install ulogd2

 

( NFtables should be already installed. If not, see notes )

 

 

 

2. Nftables logging setup

we have to check nflog protocol logging:

 

cat /proc/net/netfilter/nf_log

you might get this :


# cat /proc/net/netfilter/nf_log
 0 NONE (nfnetlink_log)
 1 NONE (nfnetlink_log)
 2 nfnetlink_log (nfnetlink_log)
 3 NONE (nfnetlink_log)
 4 NONE (nfnetlink_log)
 5 NONE (nfnetlink_log)
 6 NONE (nfnetlink_log)
 7 NONE (nfnetlink_log)
 8 NONE (nfnetlink_log)
 9 NONE (nfnetlink_log)
10 NONE (nfnetlink_log)
11 NONE (nfnetlink_log)
12 NONE (nfnetlink_log)
#

Let's see this. The line number is the protocol.

2=IPv4, 4=Novell IPX, 10=IPv6, ...

The syntax is Protocol Number / Active Module ( Available Modules ).

So here we have nfnetlink active for IPv4 only.

( line 10 is : '10 NONE (nfnetlink_log)' )

we need to enable IPv6 nfnetlink_log :

echo "nfnetlink_log" > /proc/sys/net/netfilter/nf_log/10

we should get this :

# cat /proc/net/netfilter/nf_log
 0 NONE (nfnetlink_log)
 1 NONE (nfnetlink_log)
 2 nfnetlink_log (nfnetlink_log)
 3 NONE (nfnetlink_log)
 4 NONE (nfnetlink_log)
 5 NONE (nfnetlink_log)
 6 NONE (nfnetlink_log)
 7 NONE (nfnetlink_log)
 8 NONE (nfnetlink_log)
 9 NONE (nfnetlink_log)
10 nfnetlink_log (nfnetlink_log)
11 NONE (nfnetlink_log)
12 NONE (nfnetlink_log)
#

( See part 7 for /proc/net/netfilter/nf_log persistence at reboot )

 

 

 

3. RSYSLOG setup

with a basic /etc/rsyslog.conf :


*.*    @192.168.0.12:514
*.*    @[2001:db8:0:0::12]:514

sudo service rsyslog restart

( do note that this will log two times, once to the IPv4 address and once to the IPv6 address.
do suppress the line you do not need )

we can monitor the syslog using wireshark too ( usefull for debugging ) using these filters :

 

ip.addr == 192.168.0.12
ipv6.addr == 2001:db8:0:0.12

 

 

4. ULOGD2 setup

sudo gedit /etc/ulogd.conf

we uncomment line 95 ( Syslog via NFlog ) :
# this is a stack for logging packets to syslog after a collect via NFLOG
stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG

we launch ulogd :
sudo /usr/sbin/ulogd
( or sudo service ulogd2 restart )

do notice this part in ulogd.conf :

 

[log3]
# netlink multicast group (the same as the iptables --nflog-group param)
group=2 # Group has to be different from the one use in log1/log2
numeric_label=1 # you can label the log info based on the packet verdict

this is where the nflog:2 group is linked in.



5. NFtables Test

nft -f /home/lake/nftables/files/nftables/ipv4-filter
nft -f /home/lake/nftables/files/nftables/ipv6-filter

nft flush table filter
nft flush table ip6 filter

nft add rule filter output ip daddr 208.67.222.222 counter log group 2 prefix "IPv4_OpenDNS_"
nft add rule ip6 filter output ip6 daddr 2620:0:ccc::2 counter log group 2 prefix "IPv6_OpenDNS_"

nft list table filter
nft list table ip6 filter

ping -c 4 208.67.222.222
ping6 -c 4 2620:0:ccc::2
sudo tail /var/log/syslog

 

It should work, we should see syslog messages in Wireshark and on our Syslog Server..
We get them as DAEMON.NOTICE


Let's precise our rsyslog filter. We edit /etc/rsyslog.conf :


DAEMON.NOTICE    @192.168.0.12:514                                                                   ( Use Upper Cases )
DAEMON.NOTICE    @[2001:db8:0:0::12]:514

We get a better filter of what is sent through Syslog.

 

Do remember to use Upper Cases for facility / level definitions ( ie. use DAEMON.NOTICE, not daemon.notice )

 

 

 

6. ULOGD2 Custom Facility / Level

Let's finally customize our ULOGD2 facility/level so that we can filter what is sent to our external syslog server:

 

sudo gedit /etc/ulogd.conf

 

we add a [sys1] stance below the [emu1] stance :
--------------------------------------------------------------------------------------------------------
[emu1]
file="/var/log/ulog/syslogemu.log"
sync=1

[sys1]
file="/var/log/ulog/syslog.log"
facility=LOG_LOCAL2
level=LOG_NOTICE
---------------------------------------------------------------------------------------------------------

we relaunch ulogd :
sudo service ulogd2 restart

we get now LOCAL2.NOTICE syslogs.

we can finally set rsyslog.conf to only send LOCAL2.NOTICE to the external Syslog Server :

using in /etc/rsyslog.conf :
LOCAL2.NOTICE        @192.168.1.100:514                                                                                ( Use Upper Cases )
LOCAL2.NOTICE        @[2001:db8:0:0::12]:514

 

 

7. ulogd2 using two nflog groups


We may need to have ulogd2 gather and relay several nflog groups.
Let's use the previous Part 7 Internet Gateway with NFlog, that uses two groups.
We'll use nflog group 2 and nflog group 3 ( so to avoid collisions with group 1 which is already registered by ulogd2 for the log2 facility )

we'll just copy the log3 stack declaration, so to make a log 4 stack just below :

# this is a stack for logging packets to syslog after a collect via NFLOG
stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG

# this is a stack for logging packets to syslog after a collect via NFLOG
stack=log4:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG


we'll too copy the [log3] declaration, so to make it a [log4]. Notice we make [log4] to use group 3 :

[log3]
group=2 # Group has to be different from the one use in log1/log2
numeric_label=1

[log4]
group=3 # Group has to be different from the one use in log1/log2
numeric_label=1

we just have to restart ulogd2 :
sudo service ulogd2 restart

 

 

8. Ulogd2 using two nflog groups with two syslog facilities

Furthermore, it may be handy to have our two groups use distinct syslog facilities, so to have an easier sorting on the syslog server.
We use two nflog stacks, that use distinct sys1 and sys3 output pipes :

# this is a stack for logging packets to syslog after a collect via NFLOG
stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG

# this is a stack for logging packets to syslog after a collect via NFLOG
stack=log4:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys3:SYSLOG

we use two nflog descriptors :

[log3]
group=2 # Group has to be different from the one use in log1/log2
numeric_label=1

[log4]
group=3 # Group has to be different from the one use in log1/log2
numeric_label=1


we add a [sys3] descriptor below [sys1], with its distinct facility :

[sys1]
file="/var/log/ulog/syslog.log"
facility=LOG_LOCAL2
level=LOG_NOTICE

[sys3]
file="/var/log/ulog/syslog.log"
facility=LOG_LOCAL1
level=LOG_NOTICE


we just have to restart ulogd2 :

sudo service ulogd2 restart

( don't forget to update /etc/rsyslog.conf. exemple :

LOCAL2.NOTICE    @192.168.1.100:514
LOCAL1.NOTICE    @192.168.1.100:514                                                           )

 

 

 

 

9. Notes

 

Firewall logging ' auto-feedback ' effect :

 

special care must be taken to avoid a positive-feedback loop :

 

You don't want the firewall to log and syslog the outgoing syslog messages
( unless you want to test which software part of the chain Firewall --> Network hardware --> syslog server will surrender first under a flood of packets )

 

here is a typical output chain, that avoids the positive-feedback-loop effect,

by accepting output syslog messages ( port 514 ) BEFORE they may get syslogged :

add rule filter output ct state established accept
add rule filter output ct state related accept
add rule filter output oif lo accept
add rule filter output udp dport 514 accept
add rule filter output ct state new counter log prefix "IPv4_OUT" group 2 accept

Ulogd2 local HDD logging :

 

the log1 stack is enabled by default ( uncommented in /etc/ulogd.conf ).
. it uses group 0 ( may be set )
. logs in /var/log/ulog/syslogemu.log

see the [log1] descriptor.

 

nb2 : log2 seems a better fit

 

 

Ulogd2 custom plugin :

 

We may change sys1 to systc1 in these two stances, for better cleanness, so to avoid any stack entanglement.
But it doesn't seem really necessary :

 

# this is a stack for logging packets to syslog after a collect via NFLOG
stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,systc1:SYSLOG

...
[systc1]
file="/var/log/ulog/syslog.log"
facility=LOG_LOCAL2
level=LOG_NOTICE

 

 

syslog prefix syntaxes :

 

WORD
WORD1_WORD2
"WORD1 WORD2"
Actually, 63 characters, spaces, upper and lower cases, numbers and special characters allowed.

 

 

iptables syntax :

 

sudo iptables -A OUTPUT -d 8.8.4.4 -j NFLOG --nflog-group 2 --nflog-prefix TESTG2


NFTABLES Specifics :

git clone git://git.netfilter.org/libnftnl
cd libnftnl
sh autogen.sh
./configure
make
make install
ldconfig

cd ..
git clone git://git.netfilter.org/nftables
cd nftables
sh autogen.sh
./configure
make
make install

--

 

Partager cet article

Repost 0
Published by computer outlines - dans Nftables
commenter cet article

commentaires

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens