Raspberry Pi – UFW Firewall – Using fwlogwatch to look at the logs

After working with UFW, I wondered what options might be available for sifting through the /var/log/messages for to glean some nuggets of information. I found something called fwlogwatch. You install it by using sudo apt-get install fwlogwatch. As a part of the base package, it also installs what is required to email a report out to you if you would like to use that feature. Select the no internet option for now. Try the different command options first and then decide that you want to email yourself with. For most of what I can anticipate using this for, local display of the log files for a lab situation will do just fine.

To see all of the options that are available, you can either do a man fwlogwatch for the help pages installed when you compiled fwlogwatch or sudo fwlogwatch -h to see a more abbreviated version on the screen.

Running just fwlogwatch will give you the following base report –

pi@raspberrypi:~$ sudo fwlogwatch
fwlogwatch summary
Generated Wednesday February 20 15:43:53 CST 2013 by root.
1110 of 1995 entries in the file “/var/log/messages” are packet logs, 1110 have unique characteristics.
First packet log entry: Feb 18 22:13:45, last: Feb 20 15:43:39.
All entries were logged by the same host: “raspberry”..:
All entries have the same target: “-“.

[ 24.404796] [UFW ALLOW] 1 packet from 192.168.0.156 to 192.168.0.1
[ 24.404731] [UFW AUDIT] 1 packet from 192.168.0.156 to 192.168.0.1
[ 24.402618] [UFW AUDIT] eth0 1 packet from 192.168.0.1 to 192.168.0.156
[ 24.285651] [UFW ALLOW] 1 packet from 192.168.0.156 to 192.168.0.1

This does a good job at sifting through the messages file and pulling out just the UFW entries. Adding the -n flag tells fwlogwatch to do a DNS lookup on all the ip addresses. Sometimes seeing the hostnames can give you all you need to know.

pi@raspberrypi:~$ sudo fwlogwatch -n
fwlogwatch summary
Generated Wednesday February 20 15:54:08 CST 2013 by root.
1239 of 2124 entries in the file “/var/log/messages” are packet logs, 1239 have unique characteristics.
First packet log entry: Feb 18 22:13:45, last: Feb 20 15:54:01.
All entries were logged by the same host: “raspberry”.
All entries have the same target: “-“.

[ 2490.423147] [UFW ALLOW] 1 packet from 192.168.0.156 (raspberrypi.local.tld) to 199.102.46.72 (tock.usshc.com)
[ 2490.423081] [UFW AUDIT] 1 packet from 192.168.0.156 (raspberrypi.local.tld) to 199.102.46.72 (tock.usshc.com)

When working with the different options, using the -M and a number to specify the number of lines that will be displayed on the screen. This lets you work with the different options without having to sift through pages and pages of output as you try the different options.

pi@raspberrypi:~$ sudo fwlogwatch -n -M 10
fwlogwatch summary
Generated Wednesday February 20 16:02:09 CST 2013 by root.
1370 of 2255 entries in the file “/var/log/messages” are packet logs, 1370 have unique characteristics.
First packet log entry: Feb 18 22:13:45, last: Feb 20 16:02:04.
All entries were logged by the same host: “raspberry”.
All entries have the same target: “-“.
Only the top 10 entries are shown.

[ 24.404796] [UFW ALLOW] 1 packet from 192.168.0.156 (raspberrypi.local.tld) to 192.168.0.1 (cp.local.tld)
[ 24.404731] [UFW AUDIT] 1 packet from 192.168.0.156 (raspberrypi.local.tld) to 192.168.0.1 (cp.local.tld)
[ 24.402618] [UFW AUDIT] eth0 1 packet from 192.168.0.1 (cp.local.tld) to 192.168.0.156 (raspberrypi.local.tld)
[ 24.285651] [UFW ALLOW] 1 packet from 192.168.0.156 (raspberrypi.local.tld) to 192.168.0.1 (cp.local.tld)
[ 24.285585] [UFW AUDIT] 1 packet from 192.168.0.156 (raspberrypi.local.tld) to 192.168.0.1 (cp.local.tld)
[ 24.283459] [UFW AUDIT] eth0 1 packet from 192.168.0.1 (cp.local.tld) to 192.168.0.156 (raspberrypi.local.tld)
[ 24.180655] [UFW ALLOW] 1 packet from 192.168.0.156 (raspberrypi.local.tld) to 192.168.0.1 (cp.local.tld)
[ 24.180589] [UFW AUDIT] 1 packet from 192.168.0.156 (raspberrypi.local.tld) to 192.168.0.1 (cp.local.tld)
[ 24.177855] [UFW AUDIT] eth0 1 packet from 192.168.0.1 (cp.local.tld) to 192.168.0.156 (raspberrypi.local.tld)
[ 24.133994] [UFW AUDIT] eth0 1 packet from 192.168.0.140 (58-b0-35-fe-87-d1.local.tld) to 192.168.0.255 (-)

Adding the -p option allows you to see the packet type involved.

pi@raspberrypi:~$ sudo fwlogwatch -p -n -M 10
fwlogwatch summary
Generated Wednesday February 20 16:09:08 CST 2013 by root.
1418 of 2303 entries in the file “/var/log/messages” are packet logs, 1418 have unique characteristics.
First packet log entry: Feb 18 22:13:45, last: Feb 20 16:08:58.
All entries were logged by the same host: “raspberry”.
All entries have the same target: “-“.
Only the top 10 entries are shown.

[ 24.404796] [UFW ALLOW] 1 udp packet from 192.168.0.156 (raspberrypi.local.tld) to 192.168.0.1 (cp.local.tld)
[ 24.404731] [UFW AUDIT] 1 udp packet from 192.168.0.156 (raspberrypi.local.tld) to 192.168.0.1 (cp.local.tld)
[ 24.402618] [UFW AUDIT] eth0 1 udp packet from 192.168.0.1 (cp.local.tld) to 192.168.0.156 (raspberrypi.local.tld)
[ 24.285651] [UFW ALLOW] 1 udp packet from 192.168.0.156 (raspberrypi.local.tld) to 192.168.0.1 (cp.local.tld)
[ 24.285585] [UFW AUDIT] 1 udp packet from 192.168.0.156 (raspberrypi.local.tld) to 192.168.0.1 (cp.local.tld)
[ 24.283459] [UFW AUDIT] eth0 1 udp packet from 192.168.0.1 (cp.local.tld) to 192.168.0.156 (raspberrypi.local.tld)
[ 24.180655] [UFW ALLOW] 1 udp packet from 192.168.0.156 (raspberrypi.local.tld) to 192.168.0.1 (cp.local.tld)
[ 24.180589] [UFW AUDIT] 1 udp packet from 192.168.0.156 (raspberrypi.local.tld) to 192.168.0.1 (cp.local.tld)
[ 24.177855] [UFW AUDIT] eth0 1 udp packet from 192.168.0.1 (cp.local.tld) to 192.168.0.156 (raspberrypi.local.tld)
[ 24.133994] [UFW AUDIT] eth0 1 udp packet from 192.168.0.140 (58-b0-35-fe-87-d1.local.tld) to 192.168.0.255 (-)

There may be other log analysis options available for Raspberry Pi but for what I need at this point, it gives me more than just doing a tail of the /var/log/messages files and adds a few goodies such as dns resolution for good measure.

To see more of my posts about the Raspberry Pi, please go to http://www.ronnutter.com/category/raspberry-pi/

Send to Kindle
This entry was posted in Blog Entries, Raspberry Pi and tagged . Bookmark the permalink.