Currently firewall access on VR is not logged. You can raise feature request for adding log option for ingress/egress firewall rules. While adding firewall rules user can have option enableLog/disableLog. By default logs will be disabled.
Thanks, Jayapal > -----Original Message----- > From: David Comerford [mailto:davest...@gmail.com] > Sent: Friday, 5 July 2013 9:52 PM > To: users@cloudstack.apache.org; aemne...@gmail.com > Subject: Re: Virtual Router Firewall Logs > > You could SSH into each virtual router and append some logging rules into the > existing chains. The rules go into the mangle table. > > If you wanted to log all drops then you could go for something like this. > #* iptables -I FIREWALL_10.144.100.109 3 -t mangle -j LOG* > > I put this in line 3 of my FIREWALL_10.144.100.109 chain, just above the DROP > so it looks something like: > *# iptables -n -v --line-numbers -t mangle -L FIREWALL_10.144.100.109 Chain > FIREWALL_10.144.100.109 (1 references) > num pkts bytes target prot opt in out source > destination > 1 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 2 0 0 RETURN tcp -- * * 2.2.2.2 > 0.0.0.0/0 tcp dpt:69 > 3 2 120 LOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 LOG flags 0 level 4 > 4 2 120 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 > * > Now here's the problems with doing this.... > 1. The logging rules are blown away if anyone adds OR removes any firewall > rules. > 2. You will lose the rules if the router is ever re-created for upgrades etc. > > So all in all it might not be worth the effort. > It is a feature people do ask about quite a bit though so could be worth a > feature request. > > Best regards, > David Comerford > Mobile: +353 87 1238295 > Email: davest...@gmail.com > Website: http://dave.ie > GPG key: http://pgp.dave.ie > > > On 5 July 2013 10:43, Ahmad Emneina <aemne...@gmail.com> wrote: > > > you might have to enable that manually on the router, via iptables or > > rsyslog, i dont see it being logged myself. > > > > > > On Fri, Jul 5, 2013 at 1:57 AM, Len Bellemore < > > len.bellem...@controlcircle.com> wrote: > > > > > Hi Guys, > > > > > > Does anyone know where the virtual router logs firewall access requests? > > > I guess it would be an iptables log of some sort. > > > > > > I don't see much in /var/log/messages other than rules being applied. > > > > > > Many Thanks > > > > > > Len > > > > > > ________________________________ > > > IMPORTANT NOTICE. This electronic message contains information from > > > Control Circle Ltd, which may be privileged or confidential. The > > > information is intended for use only by the individual(s) or entity > > > named above. If you are not the intended recipient, be aware that > > > any > > disclosure, > > > copying, distribution or use of the contents of this information is > > > strictly prohibited. If you have received this electronic message in > > error, > > > please notify me by telephone or email (to the number or email > > > address > > > above) immediately. Activity and use of the ControlCircle e-mail > > > system > > is > > > monitored to secure its effective operation and for other lawful > > > business purposes. Communications using this system will also be > > > monitored and may be recorded to secure effective operation and for > > > other lawful business purposes > > > > >
