VMware Cloud Community
jhanekom
Virtuoso
Virtuoso

How to enable firewall logging on ESX 3

After not having much luck debugging queries from a particular piece of management software on the VI3 console, I tried getting firewall logging enabled.

This proved to be a tough exercise, so I thought I'd document it here in case someone else finds it useful. I've marked the topic as a question and will award points to anyone more clued-up than I am that can point out a reasonable way of limiting the output of the logging mechanism to iptables messages only, and not all debug content.

The first part to enabling firewall logging is to use the -v option of esxcfg-firewall. Note, however, that this option does not work on its own and must be used in conjunction with one of the other operations, so run something to the effect of "esxcfg-firewall -v -l", which re-loads the existing configuration and enables logging. (Making any changes to the firewall config after this removes the logging options.)

The next step is to enable debug-logging in syslog to allow you to view the messages. To do this, make a backup copy of /etc/syslog.conf, open /etc/syslog.conf in your favourite text editor and locate the following line:

*.info;mail.none;authpriv.none;cron.none;local6.none;local5.none /var/log/messages

Change *.info to *.debug, so that the line reads as follows:

*.debug;mail.none;authpriv.none;cron.none;local6.none;local5.none /var/log/messages

Now, restart the syslog daemon by running "service syslog restart".

All debug-level messages (including the iptables firewall messages) will now be recorded in /var/log/messages. Use "tail -f /var/log/messages" during debugging sessions to get a real-time view of what's being blocked.

Warning: enabling this level of logging will cause the messages file to grow fairly rapidly. Keep an eye on the free space on the /var volume and disable debug-logging once you've finished debugging.[/b]

Reply
0 Kudos
6 Replies
admin
Immortal
Immortal

Nice work! I'd spotted the -v flag but hadn't figured how to get it to work. Thanks for sharing the info. Smiley Happy

Reply
0 Kudos
jhanekom
Virtuoso
Virtuoso

Thanks! To be honest, I only found out about it (-v) because of a post you made here! The rest was mostly just figuring out why the messages weren't showing up in /var/messages.

Reply
0 Kudos
acr
Champion
Champion

Alex, can we see another script on the horizon..?

Reply
0 Kudos
admin
Immortal
Immortal

Heh, well seeing as you asked so nicely, here's a quick script to automate the enabling of firewall logging. Smiley Happy

http://users.ox.ac.uk/~alexm/log-esx-firewall.tar.gz

Configures syslog.conf and enables esx firewall logging, output goes to /var/log/firewall.

Reply
0 Kudos
bil_s
Contributor
Contributor

Thanks for the scipt

Only a "service syslog restart" is missing at the end.

Reply
0 Kudos
siglert
Enthusiast
Enthusiast

Point your syslog.conf file to a syslog server and then do your parsing from there. It should be easy to filter for what you are looking for and then you won't have to worry about /var filling up.

Reply
0 Kudos