Logging (Olive - Firewall)

Now we can login to the olive, control the login through a firewall filter and see hits on the filter. But that only gives us a packet and byte count. It doesn't tell us when the counts happened or where they were sourced from. For that we need logging.

An easy way to do this is to use the action "log" on the term..

user@olive-core> show configuration firewall
filter ACCESS-CNTRL {
    term TELNET-BLOCK {
        from {
            destination-port telnet;
        }
        then {
            count COUNTER-TELNET-BLOCK;
            log;
            discard;
        }
    }
    term PERMIT-ALL {
        from {
            source-address {
                0.0.0.0/0;
            }
        }
        then {
            count COUNTER-PERMIT-ALL;
            accept;
        }
    }
}


To see the log..(And there must be hits against the term to see the kind of output below)

user@olive-core> show firewall log                 
Log :
Time      Filter    Action Interface     Protocol        Src Addr                         Dest Addr
18:28:02  ACCESS-CNTRL D   em0.0         TCP             192.168.0.11                     192.168.0.100


user@olive-core> show firewall log detail
Time of Log: 2012-01-13 18:28:02 EST, Filter: ACCESS-CNTRL, Filter action: discard, Name of interface: em0.0
Name of protocol: TCP, Packet Length: 49245, Source address: 192.168.0.11:53159, Destination address: 192.168.0.100:23


So a couple of ways to see the log hits there. Shows us the interface involved, time of the event and the IP src an dst. Great!

The thing is though, this outout is not persistant between reboots. For that we need the "syslog" action..

user@olive-core> show configuration firewall   
filter ACCESS-CNTRL {
    term TELNET-BLOCK {
        from {
            destination-port telnet;
        }
        then {
            count COUNTER-TELNET-BLOCK;
            log;
            syslog;
            discard;
        }
    }
    term PERMIT-ALL {
        from {
            source-address {
                0.0.0.0/0;
            }
        }
        then {
            count COUNTER-PERMIT-ALL;
            accept;
        }


The firewall logs dont appear to show up in the messages log by default so you need to define a log for the Firewall facility. I have selected the severity-level "any" but you could select any of the below levels depending on the level of the specific messages you want to log.

Severity Level
Description
any
Includes all severity levels
none
Disables logging of the associated facility to a destination
emergency
System panic or other condition that causes the routing platform to stop functioning
alert
Conditions that require immediate correction, such as a corrupted system database
critical
Critical conditions, such as hard drive errors
error
Error conditions that generally have less serious consequences than errors in the emergency, alert, and critical levels
warning
Conditions that warrant monitoring
notice
Conditions that are not errors but might warrant special handling
info
Events or nonerror conditions of interest
Above table from http://www.juniper.net/techpubs/software/junos/junos76/syslog-messages76/html/overview4.html

 syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
        file FIREWALL-LOG {
            firewall any;
        }
    }


To see the logs..

user@olive-core> show log FIREWALL-LOG        
Jan 15 20:19:04  olive-core /kernel: FW: em0.0        D  tcp 192.168.0.11 192.168.0.100 53403    23
Jan 15 20:19:07  olive-core /kernel: FW: em0.0        D  tcp 192.168.0.11 192.168.0.100 53403    23
user@olive-core>

You can run the "log" action at the same time as "syslog" on the filter term though there is little point as they give almost the identical info. Below is the same hit viewed both ways..

user@olive-core> show log FIREWALL-LOG   
Jan 16 18:17:10  olive-core /kernel: FW: em0.0        D  tcp 192.168.0.11 192.168.0.100 51100    23
                         
user@olive-core> show firewall log
Log :
Time      Filter    Action Interface     Protocol        Src Addr                         Dest Addr
18:17:10  ACCESS-CNTRL D   em0.0         TCP             192.168.0.11                     192.168.0.100

You can control the actual log file through the archive command. These parameters can be set for all syslogs or individually on each log depending on heirachy level you apply the archive commands.

user@olive-core# set system syslog file FIREWALL-LOG archive ?
Possible completions:
  <[Enter]>            Execute this command
> archive-sites       
  files                Number of files to be archived (1..1000)
  no-world-readable    Don't allow any user to read the log file
  size                 Size of files to be archived (65536..1073741824 bytes)
  start-time           Start time for file transmission (yyyy-mm-dd.hh:mm)
  transfer-interval    Frequency at which to transfer files to archive sites (5..2880 minutes)
  world-readable       Allow any user to read the log file
  |                    Pipe through a command
[edit]
user@olive-core#

Naturally with syslog you will probably want to send it off to a central syslog collector. For this you configure the "host" option under syslog. Here we are using the remote syslog to log only for the Firewall facility with a certain log prefix. Also note the local log on the olive has been limited to a max of 2 archive files.

 syslog {
        user * {
            any emergency;
        }
        host 192.168.56.40 {
            firewall any;
            log-prefix "the_olive!";
            source-address 192.168.56.100;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }                              
        file FIREWALL-LOG {            
            firewall any;              
            archive files 2;           
        }                              
    }
                           
Below is a screenshot of the syslog message after arriving in the remote syslog. In this case Zenoss (Running in VirtualBox)



Model: olive
JUNOS Base OS Software Suite [10.1R1.8]

No comments:

Post a Comment