Skip to main content

Logging

Logging in LXC

One problem you'll run into is that access to kernel logging is limited or unavailable from inside of a LXC container. For some usecases like netfilter's LOG action any logging that happens in a LXC container will be blackholed and record anywhere without a change on the host. Most often the solution to these problems is to find a way to allow access to these things from userspace.

ulogd2

You can use ulogd2 to solve the netfilter LOG problem by simply using ulogd2 to replace kernel logging with userspace logging. After installing and configuring ulogd2 just replace LOG with NFLOG in your netfilter/iptables rules.

ulogd is a userspace logging daemon for netfilter/iptables related logging. This includes per-packet logging of security violations, per-packet logging for accounting, per-flow logging and flexible user-defined accounting.

Installation

apt install ulogd2

Configuration

To get the output you want you should edit the ulogd2 config…

# /etc/ulogd2.conf
...
  # this is a stack for logging packet send by system via LOGEMU
- #stack=stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
+ stack=#stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU

  # this is a stack for packet-based logging via LOGEMU
- #stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
+ stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU

  # this is a stack for packet-based logging via LOGEMU
- #stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
+ stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
...
#+ packetstack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,firewall:LOGEMU
logging+ throughstack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,firewall:LOGEMU
NFLOG+ forstack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,firewall:LOGEMU
group 2, numeric_label is
  # set to 1+ 
+ [log3]
+ # netlink multicast group (the same as the iptables --nflog-group param)
+ group=2 # Group has to be different from the one use in log1/log2
+ numeric_label=1 # you can label the log info based on the packet verdict

  [ulog1]
...
  [emu1]
- file="/var/log/ulog/syslogemu.log"firewall]
+ file="/var/log/firewall"ulog/firewall.log"
+ sync=1

Connection Tracking

Similarly to netfilter logging, connection tracking in a LXC container is more limited due to not having access to the host's /proc/ filesystem. But you can install conntrack to provide a way to see connection tracking from userspace.

conntrack

The conntrack utilty provides a full featured userspace interface to the Netfilter connection tracking system that is intended to replace the old /proc/net/ip_conntrack interface. This tool can be used to search, list, inspect and maintain the connection tracking subsystem of the Linux kernel.

Installation

apt install conntrack