cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
JDCast11
Level 9
Report Inappropriate Content
Message 1 of 6

Linux Firewall log question

Does Linux have a log that shows blocked or allowed network traffic for the ENS Firewall for Linux? I've looked in /var/McAfee/ens/logs/fw and don't see anything like firewalleventmonitor thats in Windows. 

5 Replies

Re: Linux Firewall log question

You figure this out?  I'm wanting to yell at the documentation writers...

gururaj
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 6

Re: Linux Firewall log question

Hi,
McAfee Endpoint Security for Linux Firewall now supports both allowed and blocked traffic logging.
When Firewall allowed traffic logging is enabled, The details of all allowed traffic are logged in syslog.

By default this option is disabled.

When Firewall blocked traffic logging is enabled, the details of all traffic blocked
are logged in syslog. By default this option is enabled.
For managed systems, you can enable logging activity using the Tuning Options in the McAfee Endpoint Security
for Linux Firewall (Options) policy.
For standalone systems, you can configure log settings using command line.

Configure the Firewall allowed and blocked traffic logging for
standalone systems
Follow these steps to enable Firewall allowed or blocked traffic logging in standalone systems.
Task
1 Log on to the system as a user with administrator rights.
2 Change the directory to the Firewall bin directory:
/opt/McAfee/ens/fw/bin/
3 Run the command:
• To enable logging allowed traffic for both adaptive and regular mode:
./mfefwcli --log-allowed-traffic enable
• To enable logging blocked traffic for both adaptive and regular mode:
./mfefwcli --log-blocked-traffic enable
4 To view log settings, run the command:
./mfefwcli --showlogsettings

i hope this will be helpful.

 

Re: Linux Firewall log question

firewall for linux is the alternative version of hips 8.0.0 for windows.. to view firewall for linux logs.. only can be seen via /var/log/messages..

 

you can filter via tailf /var/log/messages and grep for deny rules

 

you will need to create a block rule under your endpoint policy and log traffic

Re: Linux Firewall log question

I believe I read the documentation where it said /var/log/syslog and not messages.  Thank you for the mention, I did see the entries in messages.  I wonder if their documentation needs fixed, or if I just can't read.

 

Thanks again

Re: Linux Firewall log question

Something else interesting if anyone will come back to this post:

looking in /var/McAfee/ens/fw/prefs.xml:

 

<LoggingInformation type="3">
<ActivityLogSize>10</ActivityLogSize>
<FirewallLogLevel>6</FirewallLogLevel>
<IptablesRuleLogLevel>4</IptablesRuleLogLevel>
<CustomLogEnable>1</CustomLogEnable>
<SendEventsToePO>1</SendEventsToePO>
<EnableActivityLogging>1</EnableActivityLogging>
<LimitActivityLogSize>1</LimitActivityLogSize>
<EnableDebugLoggingForFW>1</EnableDebugLoggingForFW>
<LimitDebugLogSize>1</LimitDebugLogSize>
<DebugLogSize>50</DebugLogSize>
<EnableEventLogging>1</EnableEventLogging>
<LogPath>%DEFLOGDIR%</LogPath>
<ePOLogLevelForFW>3</ePOLogLevelForFW>
<ProductMaxLogFileSize>10</ProductMaxLogFileSize>
<ProductMaxRotatedLogFileCount>5</ProductMaxRotatedLogFileCount>
<EnableDebugLoggingForMsgBus>0</EnableDebugLoggingForMsgBus>
<EnableLogAllAllowedTraffic>0</EnableLogAllAllowedTraffic>
<EnableLogAllBlockedTraffic>1</EnableLogAllBlockedTraffic>
</LoggingInformation>

There's no where in the firewall options policy to define a location for logs.  Most of the options policy is for windows anyway.  The CLI tool doesn't give you the option to set a log location either.  I tried to manually edit the xml, but it gets reset when mfefwd restarts.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community