Enabling logging and analyzing Linux firewall logs.

In this page

  • Firewall log collection in Linux
  • Enabling logging in iptables
  • Viewing iptables log

The basic function of a firewall is to stop connections from suspicious networks/sources. It inspects the source address, destination address, and the port of all connections, and decides to allow or block the traffic. Every action taken by the firewall is recorded as a log data. It is essential to monitor and analyze these logs to protect your network from attacks. To do that, you need to enable logging first. Below are the procedures that allows you to enable logging in Linux firewalls.

Firewall log collection in Linux

When it comes to Linux systems, iptables, a command line interface is used to set up and maintain tables or rules for the NetFilter firewall for IPv4 that is included by default in the Linux kernel. When a connection is trying to establish itself on the system, iptables looks for a rule in its list to see if the connection should be allowed or denied. If there are no rules, it resorts to the default action.iptables are pre-installed in most of the Linux systems.

iptables uses three different chains—input, forward, and output—to control the traffic coming into the network, re-routed within the network, and going out of the network.

Enabling logging on iptables is essential to monitor the inbound and outbound traffic.

Enabling logging in iptables

Use the following command to enable logging in iptables.

iptables -A INPUT -j LOG

To enable logging for specific IP or range, use the command below:

iptables -A INPUT -s 192.168.10.0/24 -j LOG

To define level of LOG generated by the iptables, use -log-level followed by the level number. Refer to the syntax of the command below:

iptables -A INPUT -s 192.168.10.0/24 -j LOG --log-level 4

If you're manually analyzing the logs, it's better to add a prefix in generated logs so that it's easier for you to search the huge number of log files. The command to perform this operation is given below. Alternatively, you can always choose a log management solution, such as EventLog Analyzer to collect, monitor, analyze, and get actionable insights into firewall logs.

iptables -A INPUT -s 192.168.10.0/24 -j LOG --log-prefix '** SUSPECT **'

Viewing iptables log

After enabling logging, you can always sift through the log files in these locations:

Ubuntu and Debian: tail -f /var/log/kern.log
CentOS, RHEL, and Fedora cat /var/log/messages

What's next?

Enhance Linux firewall log monitoring with EventLog Analyzer’s security insights and instant alerting capabilities.