# shorewall & /var/log/shorewall.log

## thoughtform

i am running an x86 w/ shorewall and metalog,

in the shorewall conf file i specified LOGFILE /var/log/shorewall.log

the file exists with rw owned by root but it's 0.

I do see messages from iptables in /var/log/everything/current

how to fix?

----------

## Jimini

If I remember correctly, I had the same problem when I used shorewall (as logging daemon I use syslog-ng). So I configured the logging daemon to put every shorewall-related stuff to a seperate file.

Unfortunately, I haven't used metalog yet, so I can not help you with editing its config.

Best regards,

Jimini

----------

## richard.scott

That's the way Metalog works... 

The everything folder also sees everything even if its also logged in another file.

Rich.

----------

## champ

I am using shorewall with metalog. Add the following to your /etc/metalog.conf file to get a separate directory for shorewall

```
Shorewall logging:

  facility = "kern"

  regex = "shorewall"

  logdir   = "/var/log/firewall"
```

----------

## thoughtform

i created /var/log/firewall

touched shorewall.log

metalog conf section:

Shorewall :

  facility = "kern"

  regex = "Shorewall"

  logdir   = "/var/log/firewall"

some sections from /var/log/everything/current

Oct 05 09:04:52 [kernel] [750215.087577] Shorewall:net2fw:DROP:IN=eth1 OUT= MAC=00:01:03:d0:16:24:00:01:5c:22:ee:41:08:00 SRC=222.45.112.59 DST=69.143.218.147 LEN=40 TOS=0x0

Oct 05 09:04:52 [kernel] [750215.109079] Shorewall:net2fw:DROP:IN=eth1 OUT= MAC=00:01:03:d0:16:24:00:01:5c:22:ee:41:08:00 SRC=222.45.112.59 DST=69.143.218.147 LEN=40 TOS=0x0

Oct 05 09:04:52 [kernel] [750215.131261] Shorewall:net2fw:DROP:IN=eth1 OUT= MAC=00:01:03:d0:16:24:00:01:5c:22:ee:41:08:00 SRC=222.45.112.59 DST=69.143.218.147 LEN=40 TOS=0x0

Oct 05 09:04:52 [kernel] [750215.153410] Shorewall:net2fw:DROP:IN=eth1 OUT= MAC=00:01:03:d0:16:24:00:01:5c:22:ee:41:08:00 SRC=222.45.112.59 DST=69.143.218.147 LEN=40 TOS=0x0

Oct 05 09:04:52 [kernel] [750215.175289] Shorewall:net2fw:DROP:IN=eth1 OUT= MAC=00:01:03:d0:16:24:00:01:5c:22:ee:41:08:00 SRC=222.45.112.59 DST=69.143.218.147 LEN=40 TOS=0x0

i restarted shorewall and metalog, it's still not logging to the /var/log/firewall directory.

what am i doing wrong?

----------

## champ

I'm guessing that a previous section of the conf file is blocking the shorewall log (see the information on "break" in the man page).

Try adding the following to the section called "Kernel messages"

```
neg_regex="Shorewall"
```

Hope that helps

----------

