Where is the location and name of pve-firewall.log configured?

[zahnfee]

Happy pi-day!

I am using my own firewall setup with own logs and noticed that some stuff still gets logged to the proxmox default location (which is displayed in the user interface under Firewall->log
Can anybody tell me where I can change this?
I'd like to have all logs in one file.

kind regards,

Z.

 

[Folke]

Hi,

Happy pi-day!

To you too!

Having multiple programs writing to the same file is not really a thing, since it has the potential to intermingle or even corrupt the output of both programs, rendering your log-file useless.
The path to the log file is currently hard-coded as /var/log/pve-firewall.log and can't be changed that easily.

 

[zahnfee]

Hi,


To you too!

Having multiple programs writing to the same file is not really a thing, since it has the potential to intermingle or even corrupt the output of both programs, rendering your log-file useless.
The path to the log file is currently hard-coded as /var/log/pve-firewall.log and can't be changed that easily.

Thanks for the info.
Well, I'd like to find out exactly how the pve-firewall.log is generated.
Most of the netfilter packet-logs do end up in my own logs and the pve-firewall.log remains empty.
By chance I found some log entries, that only appear in the pve-firewall.log, albeit with the syntax that I chose when setting up my own log formats.
That means that I need to tweak my NFLOG/ulogd-config to get these logs into my own log-files as well.

Kind regards

Z.

 

[zahnfee]

Looks like the logger is using NFLOG:0 and thus blocking it for my logs. Only way to prevent that is to stop the logger.
Then I can use ulogd to log it into my own log files

gatekeeper-3(bookworm)root# tcpdump -vvv -i nflog:0
tcpdump: Can't listen on group index: Operation not permitted
gatekeeper-3(bookworm)root# fuser /var/log/pve-firewall.log
/var/log/pve-firewall.log:  1460
gatekeeper-3(bookworm)root# ps -ef | grep 1460
root        1460       1  0 08:11 ?        00:00:00 /usr/sbin/pvefw-logger
root       22860   15850  0 08:35 pts/1    00:00:00 grep 1460
...
gatekeeper-3(bookworm)root# service pvefw-logger stop
gatekeeper-3(bookworm)root# fuser /var/log/pve-firewall.log
gatekeeper-3(bookworm)root# tcpdump -vvv -i nflog:0
tcpdump: listening on nflog:0, link-type NFLOG (Linux netfilter log messages), snapshot length 262144 bytes
08:37:12.224136 IP6 (hlim 240, next-header ICMPv6 (58) payload length: 1240) mtu1280.vm3.test-ipv6.com > fdbf:1d37:bbe0:0:68:2:0:3e: [icmp6 sum ok] ICMP6, packet too big, mtu 1280
08:37:41.184127 IP6 (hlim 240, next-header ICMPv6 (58) payload length: 1240) mtu1280.vm3.test-ipv6.com > fdbf:1d37:bbe0:0:68:2:0:3e: [icmp6 sum ok] ICMP6, packet too big, mtu 1280
08:37:44.534549 IP6 (hlim 240, next-header ICMPv6 (58) payload length: 1240) mtu1280.vm3.test-ipv6.com > fdbf:1d37:bbe0:0:68:2:0:3e: [icmp6 sum ok] ICMP6, packet too big, mtu 1280
08:37:44.534596 IP6 (hlim 240, next-header ICMPv6 (58) payload length: 1240) mtu1280.vm3.test-ipv6.com > fdbf:1d37:bbe0:0:68:2:0:3e: [icmp6 sum ok] ICMP6, packet too big, mtu 1280
08:37:45.536123 IP6 (hlim 240, next-header ICMPv6 (58) payload length: 1240) mtu1280.vm3.test-ipv6.com > fdbf:1d37:bbe0:0:68:2:0:3e: [icmp6 sum ok] ICMP6, packet too big, mtu 1280

These messages are exactly what I am seeing in the pve-firewall.log and missing in my own logs.
==> issue is solved