Mirrored_Repos/unifios-utilities
1
0
Fork 0
mirror of https://github.com/unifi-utilities/unifios-utilities.git synced 2024-08-30 18:32:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
d6da6e68d5
unifios-utilities/ipt-enable-logs/README.md

68 lines
3.5 KiB
Markdown
Raw Normal View History

ipt-enable-logs (#267) * Add some more on_boot..d examples * Add ipt-enable-logs
2021-11-17 06:07:24 +00:00
# Enable log tags on your UDM
## Features
If you're used to the Unifi Security Gateway, you may miss the USG log prefixes that allow you to know which rule blocked certain traffic.
This mod adds logging prefixes to messages from `/var/log/messages` allowing you to trace a particular log message to the respective iptable rule (which is generated from the firewall rules you configure on the Network application, among other things)
## Requirements
1. You have successfully setup the on boot script described [here](https://github.com/boostchicken/udm-utilities/tree/master/on-boot-script)
## General idea
This mod builds a small Go program that modifies the existing iptables to add `--log-prefix` to entries that are defined as loggable through the `-j LOG` directive. The Go program is built in a Docker container local to the UDM.
Here's an example snippet of an iptable modified by this program:
```
-A UBIOS_PREROUTING_USER_HOOK -p tcp -m set --match-set UBIOS_ADDRv4_eth8 dst -m tcp --dport 15060 -j LOG --log-prefix "[DNAT-PRER_U_HK-4294967310] "
-A UBIOS_PREROUTING_USER_HOOK -p tcp -m set --match-set UBIOS_ADDRv4_eth8 dst -m tcp --dport 15060 -m comment --comment 00000000004294967310 -j DNAT --to-destination 192.168.36.10:15060
```
## Steps
1. Copy [on_boot.d/30-ipt-enable-logs-launch.sh](./on_boot.d/30-ipt-enable-logs-launch.sh) to /mnt/data/on_boot.d
1. Copy the [scripts/ipt-enable-logs](./scripts/ipt-enable-logs) folder to /mnt/data/scripts
1. Copy [scripts/ipt-enable-logs.sh](./scripts/ipt-enable-logs.sh) to /mnt/data/scripts
1. Execute /mnt/data/on_boot.d/30-ipt-enable-logs-launch.sh
1. Copy [scripts/refresh-iptables.sh](./scripts/refresh-iptables.sh) to /mnt/data/scripts
## Refreshing iptables
Whenever you update the firewall rules on the Network application, the iptables will be reprovisioned and will need to be reprocessed
by calling /mnt/data/scripts/refresh-iptables.sh.
## Looking at logs
Logs can be followed easily from another machine through SSH by using the following bash functions:
```shell
function logunifijson() {
ssh unifi "tail -f /var/log/messages" | \
rg "kernel:" | \
sed "s/]IN/] IN/" | \
jq --unbuffered -R '. | rtrimstr(" ") | split(": ") | {date: (.[0] | split(" ") | .[0:3] | join(" "))} + (.[1] | capture("\\[.+\\] \\[(?<rule>.*)\\].*")) + ((.[1] | capture("\\[.+\\] (?<rest>.*)") | .rest | split(" ") | map(select(startswith("[") == false) | split("=") | {(.[0]): .[1]})) | (reduce .[] as $item ({}; . + $item)))'
}
function logunifi() {
logunifijson | jq --unbuffered -r '"\(.date) - \(.rule)\tIN=\(.IN) \t\(.PROTO)\tSRC=\(.SRC)@\(.SPT)\tDST=\(.DST)@\(.DPT)\tLEN=\(.LEN)\t"'
}
```
Here's what the output of `logunifi` looks like:
```
Nov 14 10:58:31 - A-LAN_LOCAL_U-1097364144127 IN=br0 TCP SRC=192.168.16.10@55804 DST=192.168.16.1@443 LEN=52
Nov 14 10:58:31 - A-LAN_LOCAL_U-1097364144127 IN=br0 TCP SRC=192.168.16.10@55804 DST=192.168.16.1@443 LEN=52
Nov 14 10:58:31 - A-LAN_LOCAL_U-1097364144127 IN=br0 TCP SRC=192.168.16.10@55804 DST=192.168.16.1@443 LEN=52
Nov 14 10:58:31 - A-LAN_LOCAL_U-1097364144127 IN=br0 TCP SRC=192.168.16.10@55804 DST=192.168.16.1@443 LEN=52
Nov 14 10:58:31 - A-LAN_LOCAL_U-1097364144127 IN=br0 TCP SRC=192.168.16.10@55804 DST=192.168.16.1@443 LEN=52
Nov 14 10:58:31 - A-LAN_LOCAL_U-1097364144127 IN=br0 TCP SRC=192.168.16.10@55804 DST=192.168.16.1@443 LEN=52
```
## Acknowledgements
Thanks a lot to [@opustecnica](https://github.com/opustecnica) for the [initial implementation](https://github.com/opustecnica/public/wiki/UDM-&-UDM-PRO-NOTES) and idea (based on a bash script)!
Reference in New Issue Copy Permalink