By default, all logging of traffic filtered by the firewall rules is disabled.
To enable logging, the loglevel
for incoming and/or outgoing traffic has to be
set in Firewall → Options. This can be done for the host as well as for the
VM/CT firewall individually. By this, logging of Proxmox VE’s standard firewall rules
is enabled and the output can be observed in Firewall → Log.
Further, only some dropped or rejected packets are logged for the standard rules
(see default firewall rules
Section 13.8, “Default firewall rules”).
loglevel
does not affect how much of the filtered traffic is logged. It
changes a LOGID
appended as prefix to the log output for easier filtering and
post-processing.
loglevel
is one of the following flags:
A typical firewall log output looks like this:
VMID LOGID CHAIN TIMESTAMP POLICY: PACKET_DETAILS
In case of the host firewall, VMID
is equal to 0.
In order to log packets filtered by user-defined firewall rules, it is possible to set a log-level parameter for each rule individually. This allows to log in a fine grained manner and independent of the log-level defined for the standard rules in Firewall → Options.
While the loglevel
for each individual rule can be defined or changed easily
in the WebUI during creation or modification of the rule, it is possible to set
this also via the corresponding pvesh
API calls.
Further, the log-level can also be set via the firewall configuration file by
appending a -log <loglevel>
to the selected rule (see
possible log-levels
???).
For example, the following two are ident:
IN REJECT -p icmp -log nolog IN REJECT -p icmp
whereas
IN REJECT -p icmp -log debug
produces a log output flagged with the debug
level.