FastNetMon Advanced generates a large amount of log entries, and they can be used to debug decisions made by FastNetMon. By default, FastNetMon uses file-based logging to /var/log/fastnetmon/fastnetmon.log. Example log entry looks like:
2020-05-01 19:12:46,252 [INFO] FastNetMon started 2020-05-01 19:12:46,252 [INFO] FastNetMon version: 2.0.187 git 804...631 started 2020-05-01 19:12:46,252 [INFO] Read configuration file
For any kinds of issues or misbehaviour, FastNetMon uses logging levels WARN and ERROR:
2020-04-12 22:31:24,262 [WARN] We will use 192.168.1.0/30 instead of 192.168.1.1/30 because it's host address 2020-03-17 09:40:34,244 [ERROR] Please specify intreface for AF_PACKET
If you have a log analytics system, it makes sense to filter out such error messages and look at them manually.
If you experience complex issues, or our support team specifically advises, you can enable debug-level logging:
sudo fcli set main logging_level debug sudo fcli commit
In this mode, FastNetMon will generate a large amount of log entries. Please do not enable this mode for an extended period of time, and after debugging, please switch to the default log level “info”:
sudo fcli set main logging_level info sudo fcli commit
If you would like to debug the logic of FastNetMon during the configuration initialisation phase, before FastNetMon actually reads configuration about different logging levels from the database, you need to add the following option to /etc/fastnetmon/fastnetmon.conf:
{ "logging_level": "debug" }
After this, restart FastNetMon. To return to the default logging level, you need to set it to info back to:
{ "logging_level": "info" }
For systems with centralised log collection, we offer the ability to send logs to remove locations via syslog’s UDP-based protocol.
sudo fcli set main logging_remote_syslog_logging enable sudo fcli set main logging_remote_syslog_port 514 sudo fcli set main logging_remote_syslog_server 10.10.10.10 sudo fcli commit
As another option, you can send messages to the local syslog daemon:
sudo fcli set main logging_local_syslog_logging enable sudo fcli commit
Please do not rely on the text of log messages; we do not guarantee their consistency, please use the API or callback scripts instead.
FastNetMon has support for versioned and stable log messages, which can be used for different actions, and we guarantee their availability and format in new versions. They’re enabled automatically when you enable remote or local syslog logging. Examples:
v:1 mode:blackhole action:ban proto:ipv4 target:127.0.0.1 pps_in_rate:0 pps_out_rate:0 bytes_in_rate:0 bytes_out_rate:0 v:1 mode:blackhole action:unban proto:ipv4 target:127.0.0.1 pps_in_rate:0 pps_out_rate:0 bytes_in_rate:0 bytes_out_rate:0
Attack status reporting
In addition to reports of ban and unban operations, FastNetMon has capability to report active attacks. You can enable it this way:
sudo fcli set main ban_status_updates true sudo fcli commit
After that, you can setthe period in seconds how often FastNetMon reports an active attack:
sudo fcli set main ban_status_delay 20 sudo fcli commit
Example log message format is the following:
v:1 mode:blackhole action:status proto:ipv4 target: 1.2.3.4 pps_in_rate: 1 pps_out_rate: 2 bytes_in_rate: 3 bytes_out_rate: 4
Starting from 2.0.359, FastNetMon hasthe capability to log status of ongoing IPv6 attacks too.
Journald logging instead of file logging
By default, FastNetMon stores log information to /var/log/fastnetmon/fastnetmon.log. If you prefer, you can specify the command line flag –log_to_console, and it will send logs to systemd journald. The same flag is supported by traffic_db daemon, which stores its log file to /var/log/fastnetmon/traffic_db.log by default.
To switch FastNetMon from file logging to journald you need to run the following command:
sudo systemctl edit fastnetmon
Then provide the following information:
[Service] # Clear previous value ExecStart= ExecStart=/opt/fastnetmon/app/bin/fastnetmon --log_to_console
After this, empty the file-based log file:
sudo cp /dev/null /var/log/fastnetmon/fastnetmon.log
Apply the changes:
sudo systemctl daemon-reload sudo systemctl restart fastnetmon
After that, FastNetMon will not log everything to /var/log/fastnetmon/fastnetmon.log, and all logging will be delivered to journald:
sudo journalctl -u fastnetmon -f -n 100
Then you need to do the same with traffic_db:
sudo systemctl edit traffic_db
And provide the following:
[Service] # Clear previous value ExecStart= ExecStart=/opt/fastnetmon/app/bin/traffic_db --log_to_console
After this, empty the file-based log file:
sudo cp /dev/null /var/log/fastnetmon/traffic_db.log
Apply changes:
sudo systemctl daemon-reload sudo systemctl restart traffic_db
After this, traffic_db will not log everything to /var/log/fastnetmon/traffic_db.log, and all logging will be delivered to journald:
sudo journalctl -u traffic_db -f -n 100