After not having much luck debugging queries from a particular piece of management software on the VI3 console, I tried getting firewall logging enabled.
This proved to be a tough exercise, so I thought I'd document it here in case someone else finds it useful. I've marked the topic as a question and will award points to anyone more clued-up than I am that can point out a reasonable way of limiting the output of the logging mechanism to iptables messages only, and not all debug content.
The first part to enabling firewall logging is to use the -v option of esxcfg-firewall. Note, however, that this option does not work on its own and must be used in conjunction with one of the other operations, so run something to the effect of "esxcfg-firewall -v -l", which re-loads the existing configuration and enables logging. (Making any changes to the firewall config after this removes the logging options.)
The next step is to enable debug-logging in syslog to allow you to view the messages. To do this, make a backup copy of /etc/syslog.conf, open /etc/syslog.conf in your favourite text editor and locate the following line:
*.info;mail.none;authpriv.none;cron.none;local6.none;local5.none /var/log/messages
Change *.info to *.debug, so that the line reads as follows:
*.debug;mail.none;authpriv.none;cron.none;local6.none;local5.none /var/log/messages
Now, restart the syslog daemon by running "service syslog restart".
All debug-level messages (including the iptables firewall messages) will now be recorded in /var/log/messages. Use "tail -f /var/log/messages" during debugging sessions to get a real-time view of what's being blocked.
Warning: enabling this level of logging will cause the messages file to grow fairly rapidly. Keep an eye on the free space on the /var volume and disable debug-logging once you've finished debugging.[/b]
Nice work! I'd spotted the -v flag but hadn't figured how to get it to work. Thanks for sharing the info.
Thanks! To be honest, I only found out about it (-v) because of a post you made here! The rest was mostly just figuring out why the messages weren't showing up in /var/messages.
Alex, can we see another script on the horizon..?
Heh, well seeing as you asked so nicely, here's a quick script to automate the enabling of firewall logging.
http://users.ox.ac.uk/~alexm/log-esx-firewall.tar.gz
Configures syslog.conf and enables esx firewall logging, output goes to /var/log/firewall.
Thanks for the scipt
Only a "service syslog restart" is missing at the end.
Point your syslog.conf file to a syslog server and then do your parsing from there. It should be easy to filter for what you are looking for and then you won't have to worry about /var filling up.