Logging
Logging in LXC
One problem you'll run into is that access to kernel logging is limited or unavailable from inside of a LXC container. For some usecases like netfilter's LOG
action any logging that happens in a LXC container will be blackholed and record anywhere without a change on the host. Most often the solution to these problems is to find a way to allow access to these things from userspace.
ulogd2
You can use ulogd2 to solve the netfilter LOG
problem by simply using ulogd2 to replace kernel logging with userspace logging. After installing and configuring ulogd2 just replace LOG
with NFLOG
in your netfilter/iptables rules.
ulogd is a userspace logging daemon for netfilter/iptables related logging. This includes per-packet logging of security violations, per-packet logging for accounting, per-flow logging and flexible user-defined accounting.
Installation
apt install ulogd2
Configuration
To get the output you want you should edit the ulogd2 config…
# /etc/ulogd2.conf
...
# this is a stack for logging packet send by system via LOGEMU
- #stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
+ stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
# this is a stack for packet-based logging via LOGEMU
- #stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
+ stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
# this is a stack for packet-based logging via LOGEMU
- #stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
+ stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
...
# packet logging through NFLOG for group 2, numeric_label is
# set to 1
+ [log3]
+ # netlink multicast group (the same as the iptables --nflog-group param)
+ group=2 # Group has to be different from the one use in log1/log2
+ numeric_label=1 # you can label the log info based on the packet verdict
[ulog1]
...
[emu1]
- file="/var/log/ulog/syslogemu.log"
+ file="/var/log/firewall"
sync=1
Connection Tracking
Similarly to netfilter logging, connection tracking in a LXC container is more limited due to not having access to the host's /proc/
filesystem. But you can install conntrack to provide a way to see connection tracking from userspace.
conntrack
The conntrack utilty provides a full featured userspace interface to the Netfilter connection tracking system that is intended to replace the old /proc/net/ip_conntrack interface. This tool can be used to search, list, inspect and maintain the connection tracking subsystem of the Linux kernel.
Installation
apt install conntrack