Logging all traffic

I am wanting to syslog all traffic to a log collector, eg source ip xxx, dst ip xxxx dst port xxxx.

I can do this by adding -j LOG to the firewall zone custom field in LUCI, and it works. But I guess my router isn't capable of handling it and it starts dropping packets.

Interestingly, the CPU isn't maxing out, gets to around 50%. Makes me wonder if its not able to write to the flash memory quick enough.

Any suggestions for workaround? Other than by an enterprise firewall that can do it...

I used to do this in pfsense on a VM, and it worked great, but its annoying having to bring my whole network down every time i need to patch the host :frowning:

OK so what i need to do is only log for a new state, rather than for every single packet, which is how i think most firewall logging works

-m state --state NEW -j LOG

Logging every packet would stress the router in all aspects, cpu, flash, and in certain cases network.

Most firewalls will only log rejected/dropped packets, which is what should interest you more.
What do you expect to see in the syslog from the accepted packets?

1 Like

To log "ALL traffic"...I'd advise using softflowd. There are many netflow collectors around, so I won't list too many...just one I know is opensource.

2 Likes

I'm wanting to log source ip, dest ip, dest port so that I can correlate traffic events, such as looking for outbound succesfull connections to suspected malicious ip addresses etc.

I dont need every succesful packet, thats never going to work, but an event for each new state would be nice.

Is a common function in enterprise firewalls.

Will look into softflowd, thanks.

Could I not just put these iptables commands in to log new connections only? Where would i put them?

iptables -I INPUT -m state --state NEW -j LOG --log-prefix "New Connection: "
iptables -I OUTPUT -m state --state NEW -j LOG --log-prefix "New Connection: "

You can add them like this, however these commands will catch the connections from/to router only, not traversing.

2 Likes