Viewing the Firewall Log

The firewall creates log entries for each rule configured to log and for the default deny rule. There are several ways to view these log entries, each with varying levels of detail. There is no clear “best” method since it depends on the preferences and skill level of the firewall administrators, though using the GUI is the easiest method.

Tip

The logging behavior of the default deny rules and other internal rules can be controlled using the Settings tab under Status > System Logs. See Log Settings for details.

Like other logs, the firewall log only retains a certain number of entries. If the needs of an organization require a permanent record of firewall logs for a longer period of time, see Remote Logging with Syslog for information on copying these log entries to a syslog server as they happen.

See also

• Troubleshooting Blocked Log Entries for Legitimate Connection Packets

• Working with Log Files

• Log Settings

• Filtering Log Entries

Viewing in the GUI

The firewall logs are visible in the GUI at Status > System Logs, on the Firewall tab. From there, the logs can be viewed as a parsed log, which is easier to read, or as a raw log, which contains more detail. There is also a setting to show these entries in forward or reverse order. If the order the log entries being displayed is unknown, check the timestamp of the first and last lines, or check Log Settings for information on how to view and change these settings.

The parsed GUI logs, seen in Figure Example Log Entries Viewed From The GUI, are in multiple columns:

Action:

Shows what happened to the packet which generated the log entry (e.g. pass or block)

The Action icon is a link which, when clicked, looks up and displays the rule which caused the log entry. More often than not, this says “Default Deny Rule”, but when troubleshooting rule issues it can help narrow down suspects.

Time:

The time that the packet arrived.

Interface:

Where the packet entered the firewall.

The GUI prints a ► character next to the interface if a rule matched a packet in the outbound direction. The vast majority of rules match in the inbound direction, so the direction is omitted in that case.

Rule:

The firewall rule description and ID number which generated the log entry, if available. This column only appears when rule descriptions are set to appear in a separate column. They may also be shown in a separate row, or disabled entirely. See Log Settings for details.

Source:

The source IP address and port.

The icon next to the source and destination IP addresses, when clicked, makes the firewall perform a DNS lookup on the IP address. If the address has a valid hostname it will be displayed underneath the IP address in all instances of that address on the page.

The icon next to the source IP address and the icon next to the destination IP address are for adding firewall rules with EasyRule. See Using EasyRule to Manage Firewall Rules for details.

Destination:

The destination IP address and port.

Protocol:

The protocol of the packet, e.g. ICMP, TCP, UDP, etc.

Log entries for TCP packets have extra information appended to the protocol field displaying TCP flags present in the packet. These flags indicate various connection states or packet attributes. The meanings for each flag are outlined in TCP Flags.

Example Log Entries Viewed From The GUI

The GUI can also filter log output to find specific entries, so long as they exist in the current log. Click to display the filtering options. See Filtering Log Entries for more information.

Viewing from the Console Menu

Option 10 from the console menu views and follows the filter.log in real time. An easy example is a log entry like that seen above in Figure Example Log Entries Viewed From The GUI:

Aug  3 08:59:02 master filterlog: 5,16777216,,1000000103,igb1,match,block,in,4,0x10,,128,0,0,
none,17,udp,328,198.51.100.1,198.51.100.2,67,68,308

This single line shows that the log entry was triggered by rule id 1000000103, which resulted in a block action on the igb1 interface. The source and destination IP addresses are shown near the end of the log entry, followed by the source and destination port. Packets from other protocols may show significantly more data.

See also

See Raw Filter Log Format for details on the format of the filter log file.

Viewing from the Shell

When using the shell, either from SSH or from the console, there are numerous options available to view the filter logs.

When directly viewing the contents of the log file, the log entries can be quite complex and verbose.

For information on viewing logs from the shell, see Working with Log Files.

Viewing parsed log output in the shell

There is a simple log parser written in PHP which can be used from the shell to produce reduced output instead of the full raw log. To view the parsed contents of the current log, run:

# cat /var/log/filter.log | filterparser.php

The script prints the log entries one per line, with simplified output:

Aug  3 08:59:02 block igb1 UDP 198.51.100.1:67 198.51.100.2:68

Finding the rule which caused a log entry

When viewing one of the raw log formats, the log includes the rule ID number for an entry. This rule number can be used to find the rule which caused the match. The following example locates the rule with id 1000000103:

# pfctl -vvsr | grep 1000000103
@4 block drop in log inet all label "Default deny rule IPv4" ridentifier 1000000103

As shown in the above output, this was the default deny rule for IPv4.