Viewing the Firewall Log¶
The firewall creates log entries for each rule configured to log and for the default deny rule. There are several ways to view these log entries, each with varying levels of detail. There is no clear “best” method since it depends on the preferences and skill level of the firewall administrators, though using the GUI is the easiest method.
Tip
The logging behavior of the default deny rules and other internal rules can be controlled using the Settings tab under Status > System Logs. See Log Settings for details.
Like other logs, the firewall log only retains a certain number of entries. If the needs of an organization require a permanent record of firewall logs for a longer period of time, see Remote Logging with Syslog for information on copying these log entries to a syslog server as they happen.
See also
Viewing in the GUI¶
The firewall logs are visible in the GUI at Status > System Logs, on the Firewall tab. From there, the logs can be viewed as a parsed log, which is easier to read, or as a raw log, which contains more detail. There is also a setting to show these entries in forward or reverse order. If the order the log entries being displayed is unknown, check the timestamp of the first and last lines, or check Log Settings for information on how to view and change these settings.
The parsed GUI logs, seen in Figure Example Log Entries Viewed From The GUI, are in multiple columns:
- Action:
Shows what happened to the packet which generated the log entry (e.g. pass or block)
The Action icon is a link which, when clicked, looks up and displays the rule which caused the log entry. More often than not, this says “Default Deny Rule”, but when troubleshooting rule issues it can help narrow down suspects.
- Time:
The time that the packet arrived.
- Interface:
Where the packet entered the firewall.
The GUI prints a ► character next to the interface if a rule matched a packet in the outbound direction. The vast majority of rules match in the inbound direction, so the direction is omitted in that case.
- Rule:
The firewall rule description and ID number which generated the log entry, if available. This column only appears when rule descriptions are set to appear in a separate column. They may also be shown in a separate row, or disabled entirely. See Log Settings for details.
- Source:
The source IP address and port.
The icon next to the source and destination IP addresses, when clicked, makes the firewall perform a DNS lookup on the IP address. If the address has a valid hostname it will be displayed underneath the IP address in all instances of that address on the page.
The icon next to the source IP address and the icon next to the destination IP address are for adding firewall rules with EasyRule. See Using EasyRule to Manage Firewall Rules for details.
- Destination:
The destination IP address and port.
- Protocol:
The protocol of the packet, e.g. ICMP, TCP, UDP, etc.
Log entries for TCP packets have extra information appended to the protocol field displaying TCP flags present in the packet. These flags indicate various connection states or packet attributes. The meanings for each flag are outlined in TCP Flags.
The GUI can also filter log output to find specific entries, so long as they exist in the current log. Click to display the filtering options. See Filtering Log Entries for more information.
Viewing from the Shell¶
When using the shell, either from SSH or from the console, there are numerous options available to view the filter logs.
When directly viewing the contents of the log file, the log entries can be quite complex and verbose.
For information on viewing logs from the shell, see Working with Log Files.
Viewing parsed log output in the shell¶
There is a simple log parser written in PHP which can be used from the shell to produce reduced output instead of the full raw log. To view the parsed contents of the current log, run:
# cat /var/log/filter.log | filterparser.php
The script prints the log entries one per line, with simplified output:
Aug 3 08:59:02 block igb1 UDP 198.51.100.1:67 198.51.100.2:68
Finding the rule which caused a log entry¶
When viewing one of the raw log formats, the log includes the rule ID number for
an entry. This rule number can be used to find the rule which caused the match.
The following example locates the rule with id 1000000103
:
# pfctl -vvsr | grep 1000000103
@4 block drop in log inet all label "Default deny rule IPv4" ridentifier 1000000103
As shown in the above output, this was the default deny rule for IPv4.