What we use:
- Shorewall is a gateway/firewall configuration tool for GNU/Linux. It has a very good documentation and is very easy to configure.
- Ulogd is a userspace logging daemon for netfilter/iptables related logging. It lets you log information in different file output format like CSV or JSON or even in databases.
- The ELK stack: Elasticsearch + Logstash + Kibana + Filebeat.
Logging every packets going through Shorewall is not a very good idea since, depending on your use case, this could result on very large log files size. We can reduce the information using Connection Tracking and log only network sessions.
We will set up a JSON log file with Ulogd and read it with Filebeat.
You can find a good blog post on Ulogd and Json here.
Here is my ulogd.conf file made from this blog post:
We configure filebeat to read the json file:
On the other side we need a logstash filter configuration to specify the json configuration and fix a bug: we have to add a ruby code to replace all dot characters by another one because elasticsearch don’t like them on the key indices.
Here is the result: