cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
795
Views
0
Helpful
3
Replies

Logging for RV34X for all traffic

We recently upgraded to an RV340 from an RV325, and I'd like to make a feature request for the built-in logging options.

We generally don't disallow outgoing connections that originate from the LAN, and utilize most general options for filtering incoming / port-forwarded connections.

In the RV32X series, if you choose to log everything and point to a syslog server, all traffic info will be sent. On the rv34X series however, by default it does not appear to do so. I do indeed get all the system messages to pop through, but NOT the Kernel.info entries I expect to see for outgoing traffic; only rejections for any incoming firewall-related failures. It appears that the auto-generated rules by System / Port-forwarding cannot be edited, and they don't appear to log anything. I can create a duplicate general outgoing rule for VLAN1 to WAN, which must be enabled and log set to True, which then passes through all the traffic info I'd expect to see on my syslog server.

My guess is the System Configuration -> Log settings aren't actually saving right, and a Severity=Information and Category=All isn't setting the right logging options.  I don't mind setting my own extra editable rule to make logging work, BUT there's no way to move custom rules below the auto-generated ones, nor can I disable the 'built-in' rule and replace my custom one in its exact spot.

So I *think* this is a bug, but if it isn't, if we can just get an option in the Firewall - Access Rules table to just be able to enable/disable the log for the built-in rules that ought to be ok...

3 Replies 3

nagrajk1969
Spotlight
Spotlight

Hi

i have not been logging ALL logs on my RV345 till now, and presently i dont have a syslog server configured for now, and your observation is interesting

 

But since you have a syslog configured in your deployment, i was thinking, in your case,

- is it not logging everything and sending to syslog,  if we configure something like in attached screenshots of the Log-settings page?

- Is it your observation that when we select "ALL" checkbox for logging AND also configure the syslog server too, no logs related to kernel, etc is getting logged onto the syslog server?

  

regards

 

 

 

 

Your settings are the same as what I'm using, save that I'm only at Information rather than Debugging level.  My syslog even at Debugging will get the appropriate stuff like router logins, config changes, power cycling, etc. but NOT any network traffic info other than refused in-connections that don't have a matching out.  I would expect these settings to also give me all informational traffic, which is basically every in or out connection, as that's what occurred on the RV32X series and before.

 

Using the extra rule to do so in my case isn't a *huge* issue as we're a small company w/o complicated ACLs, but that could change in the future, and I'd rather not have the extra rule in place just for logging anyway.

nagrajk1969
Spotlight
Spotlight

Hi

 

1. You are right, absolutely right in your observations.

 

a) The default acl rules are NOT enabled with Logging for routed/passthru traffic across the vlan-to-wan and wan-to-vlan interfaces

 

b) And as you rightly mentioned, if we add a similar outbound rule and enable log on it, then every new traffic connection gets logged as expected

c) But if have multiple vlans in the lan-side, it would mean we have add those many acl rules for "each" vlan to wan pair and log each of them, which as you said is quite cumbersome

 

2. But then again, i also observe that:

 

a) in the default rules "VLAN" is actually representing all the vlans that would be configured by user in addition to the default vlan1

- i created 2 other vlans (vlan10, vlan20) and traffic from these alongwith traffic from vlan1 get permitted by the same "default" outbound rule

 

b) the same goes for "WAN" in the last deny acl default rule. It represents wan1, wan2 and also if some vlan-sub-interfaces are created on the wan1/wan2 interfaces

 

3. So maybe it makes sense that enabling logging in the "default" rules that covers ALL interfaces that are active on the router at that instance would create a large processing overhead and slow-down the router considerably, and hence not enabled by default

- So if logging for all traffic/connections is needed, it is expected that we configure as in point-1c above?

 

 

All said and done, you are right, there is a bug which needs some fix some way so that when user selects "All" logging, it should log "All" traffic/connections in outbound/inbound directions