Enable Logging for firewalld

Enabling logging on firewall rules can be beneficial for tracking why a certain rule is not behaving as you intended.

Enabling logging is relatively straight forward.

  • Enable Firewall Logging
  • Check Logs
  • Disable Firewall Logging (Optional)

Enable Firewall Logging

Quickest way to enable logging is to run

sudo firewall-cmd --set-log-denied=all

This changes the options in the /etc/firewalld/firewalld.conf config file. Options include all, unicast, broadcast, multicast, and off

Enable Log option for firewalld

The command also reloads the firewall so manually restarting the firewall is necessary.

Checking Logs

You can use dmesg to view the failed attempts or you can follow the messages log and filter to just show the rejects

sudo tail -f /var/log/messages | grep -i REJECT

You can now try to access the server or run a test to trigger a log event. In my case I tried initiating a SSH connection.

Oct  1 16:32:10 localhost kernel: FINAL_REJECT: IN=eno1 OUT= MAC=f8:ab:98:12:fe:11:a1:ec:a6:00:67:3e:97:00 SRC=192.168.1.1 DST=192.168.88.2 LEN=60 TOS=0x08 PREC=0x40 TTL=59 ID=43080 DF PROTO=TCP SPT=38192 DPT=22 WINDOW=52240 RES=0x00 SYN URGP=0

Interesting bits are bolded. Our destination port it 22 “ssh” and our source address is 192.168.1.1. If I want this IP to access the server, I’ll need to add the 192.168.1.1 IP range in the allowed IP ranges.

Disable Logging (Optional)

After you have finished troubleshooting your problem, you may want to turn the logging feature off so you don’t fill up the logs with failed entries.

You can turn it off with

sudo firewall-cmd --set-log-denied=off

We can verify that logging is off by running

sudo firewall-cmd --get-log-denied 

If the firewall logging option is off it will return “off”

The following site has some more information and alternative ways

https://www.cyberciti.biz/faq/enable-firewalld-logging-for-denied-packets-on-linux/

Check Access Logs for website

Typically on a cPanel host your access logs are kept in

/usr/local/apache/domlogs/username/incredigeek.com

Where username is your cPanel username and incredigeek.com is your website.

To view the logs you can use tail -f to follow the log.

tail -f /usr/local/apache/domlogs/username/incredigeek.com

You can also use grep to search the logs.

grep "text to search" /usr/local/apache/domlogs/username/incredigeek.com

cPanel Logs

How to view the logs

There are multiple ways to view log files, here are some common ways.

tail the log, shows the 10 most recent log entries.

tail /var/log/messages

tail the log and keep monitoring it for new entries.

tail -f /var/log/messages

Find specific info in log file

cat /var/log/messages | grep texttosearch

cPanel Log Paths

Main log

/var/log/messages

Access logs

/usr/local/cpanel/logs/access_log

Access logs for a specific domain

/home/user/access-logs/domainname.com

Account Transfers/miscellaneous logs

/var/cpanel/logs

Auditing Log (Account creation and deletions)

/var/cpanel/accounting.log

Backup Logs

/usr/local/cpanel/logs/cpbackup

CPHULKD Log

/usr/local/cpanel/logs/cphulkd.log

DNSAdmin, DNS Clustering

/usr/local/cpanel/logs/dnsadmin_log

Task Queue Processing Daemon

/usr/local/cpanel/logs/queueprocd.log

DBMapping

/usr/local/cpanel/logs/setupdbmap_log

Easy Apache Build logs

/usr/local/cpanel/logs/easy/apache/

Error logs

/usr/local/cpanel/logs/error_log
/var/log/cpanel

License log

/usr/local/cpanel/logs/license_log

local database modifications

/usr/local/cpanel/logs/build_locale_database_log

Login errors CPSRVD

/usr/local/cpanel/logs/login_log

Bandwidth History

/var/cpanel/bandwidth/{USERNAME}

Service Status Logs

/var/log/chkservd.log

Tailwatch log

/usr/local/cpanel/logs/tailwatch_log

Update Analysis Reporting

/usr/local/cpanel/logs/updated_analysis/{TIMESTAMP}.log

Update log UPCP

/var/cpanel/updatelogs/updated.{TIMESTAMP}.log

cPanel Email Logs

 

Horde log

/var/cpanel/horde/log/

RoundCube

/var/cpanel/roundcube/log/

Squirrel Mail

/var/cpanel/squirrelmail/

Panic log

/usr/local/cpanel/logs/panic_log

Delivery and receipt log

/var/log/exim_mainlog

Incoming mail queue

/var/spool/exim/input/

Log of messages rejected based on ACLS or other policies

/var/log/exim_rejectlog

Unexpected/Fatal error log

/var/log/exim_paniclog

IMAP, POP login attempts, transactions, fatal errors and spam scoring

/var/log/maillog

Mailman

/usr/local/cpanel/3rdparty/mailmain/logs

MySQL

MySQL error log

/var/lib/mysql/{SERVER_NAME}.err

MySQL slow query log (if enabled in my.cnf)

/var/log/slowqueries