13.9. Logging of firewall rules

By default, all logging of traffic filtered by the firewall rules is disabled. To enable logging, the loglevel for incoming and/or outgoing traffic has to be set in FirewallOptions. This can be done for the host as well as for the VM/CT firewall individually. By this, logging of Proxmox VE’s standard firewall rules is enabled and the output can be observed in FirewallLog. Further, only some dropped or rejected packets are logged for the standard rules (see default firewall rules Section 13.8, “Default firewall rules”).

loglevel does not affect how much of the filtered traffic is logged. It changes a LOGID appended as prefix to the log output for easier filtering and post-processing.

loglevel is one of the following flags:

loglevel LOGID

nolog

 — 

emerg

0

alert

1

crit

2

err

3

warning

4

notice

5

info

6

debug

7

A typical firewall log output looks like this:

VMID LOGID CHAIN TIMESTAMP POLICY: PACKET_DETAILS

In case of the host firewall, VMID is equal to 0.

In order to log packets filtered by user-defined firewall rules, it is possible to set a log-level parameter for each rule individually. This allows to log in a fine grained manner and independent of the log-level defined for the standard rules in FirewallOptions.

While the loglevel for each individual rule can be defined or changed easily in the WebUI during creation or modification of the rule, it is possible to set this also via the corresponding pvesh API calls.

Further, the log-level can also be set via the firewall configuration file by appending a -log <loglevel> to the selected rule (see possible log-levels ???).

For example, the following two are ident:

IN REJECT -p icmp -log nolog
IN REJECT -p icmp

whereas

IN REJECT -p icmp -log debug

produces a log output flagged with the debug level.