Logging

Basically, there are two types of logs that Vuurmuur produces: the traffic logs and the program logs.

Traffic logs

traffic.log

traffic.log contains logs based on rule matches. Vuurmuur uses the nfnetlink interface to read netfilter log messages produced by the kernel. It converts the log messages to the Vuurmuur format, and writes them by default to /var/log/vuurmuur/traffic.log.

Program logs

The program logs are all produced by Vuurmuur itself, normally they can be found in /var/log/vuurmuur/:

  1. vuurmuur.log
  2. error.log
  3. debug.log
  4. audit.log

In vuurmuur.log startup and status messages are printed as well as configuration changes made in vuurmuur_conf. In case of errors in the program or the configuration, messages will be written to the error.log. Debug messages go into the debug.log, normally there should not be many (or even any), but when the -d option is enabled a lot of info will be printed to the log.

Audit logging

When you use Vuurmuur in a professional environment, especially where you administer the firewall with more than one administrator, you probably need to have a audit trail consisting of which changes where made by who. Vuurmuur however, doesn’t (yet) support different users. You just have to be local root-user to administer it.

So how to handle this? Well, Vuurmuur is able to get the id of the real userid if a user executed vuurmuur_conf or vuurmuur_script using sudo or su. If a user johndoe runs vuurmuur_conf with sudo /usr/bin/vuurmuur_conf, the name that is logged by Vuurmuur is johndoe.

This way you can setup user accounts on the firewall for every administrator there is and add them to the /etc/sudoers file.

johndoe ALL=/usr/bin/vuurmuur_conf,/usr/bin/vuurmuur_script

When the user johndoe logs in into the firewall machine, either locally or through ssh, they can run vuurmuur_conf like this:

sudo vuurmuur_conf

They will have to re-enter his password (this can be disabled in /etc/sudoers).

All changes to the configuration as well as reloading Vuurmuur are logged in the audit.log file, which by default can be found in /var/log/vuurmuur/audit.log. Here you find with every change made, the username of the administrator who made the change.

A few examples:

10/09/2005 19:21:38 : PID 7900 : vuurmuur_conf : johndoe : service 'X-4' was created.
10/09/2005 19:24:13 : PID 7900 : vuurmuur_conf : johndoe : service 'X-4' has been changed: portrange 'TCP: 1024:65535 -> 6005' was added.
10/10/2005 13:58:42 : PID 23087 : vuurmuur : root : IPC-SHM: backend changed: reload (user: johndoe).