Support Get Quote

Enabling logging and analyzing Linux firewall logs.

Feb 10, 2022 6 min read

The basic function of a firewall is to stop connections from suspicious networks/sources. It inspects the source address, destination address, and the port of all connections, and decides to allow or block the traffic. Every action taken by the firewall is recorded as a log data. It is essential to monitor and analyze these logs to protect your network from attacks. To do that, you need to enable logging first. Below are the procedures that allows you to enable logging in Linux firewalls.

Firewall log collection in Linux

When it comes to Linux systems, iptables, a command line interface is used to set up and maintain tables or rules for the NetFilter firewall for IPv4 that is included by default in the Linux kernel. When a connection is trying to establish itself on the system, iptables looks for a rule in its list to see if the connection should be allowed or denied. If there are no rules, it resorts to the default action.

iptables are pre-installed in most of the Linux systems. iptables uses three different chains—input, forward, and output—to control the traffic coming into the network, re-routed within the network, and going out of the network.

Enabling logging on iptables is essential to monitor the inbound and outbound traffic.

Enabling logging in iptables

Use the following command to enable logging in iptables.

iptables -A INPUT -j LOG

To enable logging for specific IP or range, use the command below:

iptables -A INPUT -s -j LOG

To define level of LOG generated by the iptables, use -log-level followed by the level number. Refer to the syntax of the command below:

iptables -A INPUT -s -j LOG --log-level 4

If you're manually analyzing the logs, it's better to add a prefix in generated logs so that it's easier for you to search the huge number of log files. The command to perform this operation is given below. Alternatively, you can always choose a log management solution, such as EventLog Analyzer to collect, monitor, analyze, and get actionable insights into firewall logs.

iptables -A INPUT -s -j LOG --log-prefix '** SUSPECT **'

Viewing iptables log

After enabling logging, you can always sift through the log files in these locations:

Ubuntu and Debian: tail -f /var/log/kern.log
CentOS, RHEL, and Fedora cat /var/log/messages

You may also like


Interested in a
log management

Try EventLog Analyzer
Database platforms

Understanding SQL Server Audit better

Read more
Previous articles
Next articles
Network devices

Critical Windows events: Event ID 6008 - Unexpected system shutdown

Read more

Manage logs, comply with IT regulations, and mitigate security threats.

Seamlessly collect, monitor, and analyze
logs with EventLog Analyzer

Your request for a demo has been submitted successfully

Our support technicians will get back to you at the earliest.

By clicking 'Submit', you agree to processing of personal data according to the Privacy Policy.

  Zoho Corporation Pvt. Ltd. All rights reserved.

Link copied, now you can start sharing