No firewall logs at host level with log level debug

Discussion in 'Proxmox VE: Networking and Firewall' started by CSoellinger, May 25, 2018.

Tags:
  1. CSoellinger

    CSoellinger New Member

    Joined:
    May 25, 2018
    Messages:
    4
    Likes Received:
    0
    Hi,

    I have a strange problem and can't find the solution at the moment, so maybe you can give me a hint where i have a problem :)

    First i want say the firewall is working like expected, only VPN Port is open, all others(like SSH or Proxmox GUI) are only reachable from internal network which is NATed to the VPN net.

    But i don't see any logs from the firewall at host level... for example the only logs from today are:

    Code:
    0 5 - 25/May/2018:06:25:02 +0200 starting pvefw logger
    0 5 - 25/May/2018:15:48:19 +0200 received terminate request (signal)
    0 5 - 25/May/2018:15:48:19 +0200 stopping pvefw logger
    0 5 - 25/May/2018:15:49:21 +0200 starting pvefw logger
    0 5 - 25/May/2018:16:08:36 +0200 received terminate request (signal)
    0 5 - 25/May/2018:16:08:36 +0200 stopping pvefw logger
    0 5 - 25/May/2018:16:09:29 +0200 starting pvefw logger
    0 5 - 25/May/2018:17:42:17 +0200 received terminate request (signal)
    0 5 - 25/May/2018:17:42:17 +0200 stopping pvefw logger
    0 5 - 25/May/2018:17:42:17 +0200 starting pvefw logger
    0 5 - 25/May/2018:18:34:57 +0200 received terminate request (signal)
    0 5 - 25/May/2018:18:34:57 +0200 stopping pvefw logger
    0 5 - 25/May/2018:18:34:59 +0200 starting pvefw logger
    0 5 - 25/May/2018:18:38:24 +0200 received terminate request (signal)
    0 5 - 25/May/2018:18:38:24 +0200 stopping pvefw logger
    0 5 - 25/May/2018:18:39:24 +0200 starting pvefw logger
    Can't believe this, cause the only open port is the VPN port. Espeacially with log_level_in debug i expected some more logging output ;) .

    So for example if i try to login by SSH at public IP, i only want to see somewhere that it is blocked.

    cheers
    Chris
     
  2. floh

    floh New Member
    Proxmox Subscriber

    Joined:
    Jul 19, 2018
    Messages:
    19
    Likes Received:
    0
    Hello CSoellinger!
    Have you found any type of log file?
    I'm searching for about a few hours and haven't found anything.
    I know that there is no Live-Log-GUI like OPNsense/pfsense but a firewall.log file should be somewhere, right?

    Hopefully you or someone else have found the file.

    Best regards,
    Flo

    EDIT:
    Sorry, found it a few mins after this post:
    /var/log/pve-firewall.log
     
    #2 floh, Sep 5, 2018
    Last edited: Sep 5, 2018
  3. Shawn Fitzpatrick

    Shawn Fitzpatrick New Member

    Joined:
    Oct 4, 2018
    Messages:
    5
    Likes Received:
    0
    Has anyone found a solution to the lack of firewall logs? The log file only shows the starting, stopping and termination requests as shown by Chris above. My firewalls are working but the lack of a functional log makes troubleshooting and alerting impossible. I'm particularly interested in IPSET lists at both the cluster level and the VM level. I'm using the IPSET mail-attackers-blacklist at the cluster level as a DROP rule in my "mail services" Security Group. The configuration successfully blocks all IPs and CIDR blocks listed in the IPSET but I get no logging either on the GUI or in the /var/log/pve-firewall.log file.
     
  4. Shawn Fitzpatrick

    Shawn Fitzpatrick New Member

    Joined:
    Oct 4, 2018
    Messages:
    5
    Likes Received:
    0
    I've been doing some testing and here is what I have found thus far.
    I cannot get the firewall at the VM level to log any activity regardless of the configuration but the FW functions.
    I have, however, got logging at the host level to report based on entries in the Datacenter >> Firewall >> IPSET >> Blacklist. Entries placed here report to the Host Firewall Log.
    Entries placed in the Mail-attackers-blacklist do not report to the log. Functionally they work...but do not seem to report to the log.
    Any new IPSET groups created do not log to the host FW,
    For now...my solution is to put all offending hosts into the Datacenter Blacklist and create DROP groups in the VM firewalls that specify +Blacklist in the Rule "Source".
     
  5. gotuser32

    gotuser32 New Member
    Proxmox Subscriber

    Joined:
    Oct 1, 2018
    Messages:
    11
    Likes Received:
    2
    have / had same thing- but I also had a lot of martians being logged in the system log- do you have log martians on? if I recall it worked several releases ago- but I am still wet behind my ears..so I may be mistaken
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice