Viewing the Firewall Log

The firewall creates log entries for each rule configured to log and for various other internal rules such as default deny rules. There are several ways to view these log entries, each with varying levels of detail. There is no particular best method as it depends on preferences and skill level of the firewall administrators, though using the GUI is the easiest method.

Tip

The logging behavior of the default deny rules and other internal rules can be controlled using the Settings tab under Status > System Logs. See Logging Preferences for details.

Like other logs, the firewall log only retains a certain number of entries. If the needs of an organization require a permanent record of firewall logs for a longer period of time, see Remote Logging with Syslog for information on copying these log entries to a syslog server as they happen.

Viewing in the GUI

To view firewall logs in the GUI, navigate to Status > System Logs, Firewall tab.

By default, this page parses and renders firewall log entries in an easy-to-read format.

../../_images/firewall-log_gui.png

Example Log Entries Viewed From The GUI

See also

Several aspects of firewall log display behavior are controlled by options on the Settings tab. See Log Settings for information on how to view and change these log settings.

The parsed GUI logs, shown in Figure Example Log Entries Viewed From The GUI, are in multiple columns:

Action:

Icon representing the firewall rule action which resulted in the log entry (e.g. pass or block).

Hovering the mouse over the action icon displays several details about the log entry in a popup, including which rule triggered the log entry. These details can be useful when troubleshooting rule issues.

../../_images/firewall-log-entry-detail.png

Firewall Log Entry Detail

The details displayed by this view include:

Action:

Full text of the firewall rule action which triggered this log entry (e.g. Pass, Block, etc.)

Reason:

The reason the log entry was generated, e.g. match. There are several possible reason strings which are typically self-explanatory based on the text, such as match being from a packet matching a rule. Reasons can also include things like state mismatches, checksum mismatches, time mismatches, hitting state limitations, or even the presence of IP options.

Tracker ID:

The firewall Rule Tracking ID which uniquely identifies this rule.

Matched Rule:

The rule which matched this packet, if the firewall was able to locate the rule.

Associated Rules:

A list of rules with the same tracking ID as the rule which generated the log entry. This can help narrow down which rule may have triggered a log entry when the firewall could not locate an exact match.

Time:

The time that the packet arrived.

Interface:

Where the packet entered the firewall.

The GUI prints a ► character next to the interface if a rule matched a packet in the outbound direction. The vast majority of rules match in the inbound direction, so the direction is omitted in that case.

Rule:

The firewall rule description and rule tracking ID which generated the log entry, if available. This column only appears when rule descriptions are configured to appear in a separate column. They may also be shown in a separate row, or disabled entirely.

Source:

The source IP address and port.

Clicking the fa-info icon next to the source and destination IP addresses makes the firewall perform a DNS lookup on the IP address. If the address has a valid hostname, the page will display it underneath the IP address in all instances of that address on the page.

Clicking the fa-minus-square icon next to the source IP address or the fa-plus-square-regular icon next to the destination IP address will add firewall rules based on those addresses using EasyRule.

Destination:

The destination IP address and port.

Protocol:

The protocol of the packet, e.g. ICMP, TCP, UDP, etc.

Log entries for TCP packets have extra information appended to the protocol field displaying TCP flags present in the packet. These flags indicate various connection states or packet attributes.

See also

TCP Flags

The GUI can also filter log output to find specific entries, so long as they exist in log files on the device. Click fa-filter to display the filtering options. See Filtering Log Entries for more information.

Viewing from the Console Menu

Option 10 from the console menu views and follows the filter.log in real time. An easy example is a log entry like that seen above in Figure Example Log Entries Viewed From The GUI:

Aug  3 08:59:02 master filterlog: 5,16777216,,1000000103,igb1,match,block,in,4,0x10,,128,0,0,
none,17,udp,328,198.51.100.1,198.51.100.2,67,68,308

This single line shows that the log entry was triggered by rule id 1000000103, which resulted in a block action on the igb1 interface. The source and destination IP addresses are shown near the end of the log entry, followed by the source and destination port. Packets from other protocols may show significantly more data.

See also

See Raw Filter Log Format for details on the format of the filter log file.

Viewing from the Shell

When using the shell, either from SSH or from the console, there are numerous options available to view the filter logs.

When directly viewing the contents of the log file, the log entries can be quite complex and verbose.

For information on viewing logs from the shell, see Working with Log Files.

Viewing parsed log output in the shell

There is a simple log parser written in PHP which can be used from the shell to produce reduced output instead of the full raw log. To view the parsed contents of the current log, run:

# cat /var/log/filter.log | filterparser.php

The script prints the log entries one per line, with simplified output:

Aug  3 08:59:02 block igb1 UDP 198.51.100.1:67 198.51.100.2:68

Finding the rule which caused a log entry

When viewing one of the raw log formats, the log includes the Rule Tracking ID for an entry. This tracking ID can be used to find the rule which caused the match.

The following example locates the rule with a tracking ID of 1000000103:

# pfctl -vvsr | grep 1000000103
@4 block drop in log inet all label "Default deny rule IPv4" ridentifier 1000000103

As shown in the above output, this was the default deny rule for IPv4.