Logging all traffic

Installing and Using OpenWrt

grasshopper645 May 14, 2020, 5:36am 1

I am wanting to syslog all traffic to a log collector, eg source ip xxx, dst ip xxxx dst port xxxx.

I can do this by adding -j LOG to the firewall zone custom field in LUCI, and it works. But I guess my router isn't capable of handling it and it starts dropping packets.

Interestingly, the CPU isn't maxing out, gets to around 50%. Makes me wonder if its not able to write to the flash memory quick enough.

Any suggestions for workaround? Other than by an enterprise firewall that can do it...

I used to do this in pfsense on a VM, and it worked great, but its annoying having to bring my whole network down every time i need to patch the host

grasshopper645 May 14, 2020, 11:28am 2

OK so what i need to do is only log for a new state, rather than for every single packet, which is how i think most firewall logging works

grasshopper645 May 14, 2020, 12:09pm 3

-m state --state NEW -j LOG

trendy May 14, 2020, 1:47pm 4

Logging every packet would stress the router in all aspects, cpu, flash, and in certain cases network.

Most firewalls will only log rejected/dropped packets, which is what should interest you more.
What do you expect to see in the syslog from the accepted packets?

1 Like

lleachii May 14, 2020, 3:22pm 5

To log "ALL traffic"...I'd advise using softflowd. There are many netflow collectors around, so I won't list too many...just one I know is opensource.

http://nfsen.sourceforge.net/

2 Likes

grasshopper645 May 14, 2020, 9:55pm 6

I'm wanting to log source ip, dest ip, dest port so that I can correlate traffic events, such as looking for outbound succesfull connections to suspected malicious ip addresses etc.

I dont need every succesful packet, thats never going to work, but an event for each new state would be nice.

Is a common function in enterprise firewalls.

Will look into softflowd, thanks.

grasshopper645 May 15, 2020, 4:32am 7

Could I not just put these iptables commands in to log new connections only? Where would i put them?

iptables -I INPUT -m state --state NEW -j LOG --log-prefix "New Connection: "
iptables -I OUTPUT -m state --state NEW -j LOG --log-prefix "New Connection: "

trendy May 15, 2020, 6:52am 8

You can add them like this, however these commands will catch the connections from/to router only, not traversing.

2 Likes

jo3rg February 14, 2023, 6:09pm 9

Did you manage to achieve that usecase?
I would need to do exactly the same and it would be nice to know if you've already found a solution.
Thanks and BR

grasshopper645 February 14, 2023, 8:23pm 10

Yes it worked by putting the -j LOG option on the existing IP tables rule. However i had to turn it straight off as the home-based routers CPU wasn't anywhere near powerful enough to handle the logging, so the router would almost immediately crash.

Probably better off using an x86 based vm router software that can handle the throughput if you want to do it properly. Alternatively you could just do selective rules to log some traffic but not all.

1 Like

jo3rg February 15, 2023, 7:06pm 11

Okay, I'll probably use softflowd as alternative then.
But thanks for your quick feedback!