FastNetMon Advanced generates pretty big amount of log entries and they can be used to debug some decisions made by FastNetMon. By default, FastNetMon uses file based logging to /var/log/fastnetmon/fastnetmon.log. Example log entry looks like:
2020-05-01 19:12:46,252 [INFO] FastNetMon started 2020-05-01 19:12:46,252 [INFO] FastNetMon version: 2.0.187 git 804...631 started 2020-05-01 19:12:46,252 [INFO] Read configuration file
For any kinds of issues or misbehavior FastNetMon uses logging levels WARN and ERROR:
2020-04-12 22:31:24,262 [WARN] We will use 192.168.1.0/30 instead of 192.168.1.1/30 because it's host address 2020-03-17 09:40:34,244 [ERROR] Please specify intreface for AF_PACKET
If you have any log analytics system it make sense to filter our such error messages and look on them precisely.
If you experience some complex issues or support team told you so then you can enable debug level logging:
sudo fcli set main logging_level debug sudo fcli commit
In this mode FastNetMon will generate really big amount of log entries, please do not enable this mode for long time and after debugging, please switch to default log level “info”:
sudo fcli set main logging_level info sudo fcli commit
For systems with centralized log collection we offer ability to send logs to remove locations via syslog’s UDP based protocol.
sudo fcli set main logging_remote_syslog_logging enable sudo fcli set main logging_remote_syslog_port 514 sudo fcli set main logging_remote_syslog_server 10.10.10.10 sudo fcli commit
As another option, you can send messages to local syslog daemon:
sudo fcli set main logging_local_syslog_logging enable sudo fcli commit
Please do not rely on text of log messages, we do not guarantee their consistency, please use API or callback scripts instead.
FastNetMon has support for versioned and stable log messages which can be used for different actions and we guarantee their availability and format in new versions. They’re enabled automatically when you enable remote or local syslog logging. Examples:
v:1 mode:blackhole action:ban proto:ipv4 target:127.0.0.1 pps_in_rate:0 pps_out_rate:0 bytes_in_rate:0 bytes_out_rate:0 v:1 mode:blackhole action:unban proto:ipv4 target:127.0.0.1 pps_in_rate:0 pps_out_rate:0 bytes_in_rate:0 bytes_out_rate:0
Attack status reporting
In addition to reports of ban and unban operations FastNetMon has capability to report active attacks. You can enable it this way:
sudo fcli set main ban_status_updates true sudo fcli commit
After that you can set period how often in seconds FastNetMon will report active attacks:
sudo fcli set main ban_status_delay 20 sudo fcli commit
Example log message format is following:
v:1 mode:blackhole action:status proto:ipv4 target: 1.2.3.4 pps_in_rate: 1 pps_out_rate: 2 bytes_in_rate: 3 bytes_out_rate: 4
Starting from 2.0.359 FastNetMon has capability to log status of ongoing IPv6 attacks too.
journald logging instead of file logging
By default FastNetMon stores log information to /var/log/fastnetmon/fastnetmon.log If you prefer you can specify command line flag –log_to_console and it will send logs to systemd journald. Same flag is supported by traffic_db daemon which stores it’s log file to /var/log/fastnetmon/traffic_db.log by default.
To switch FastNetMon from file logging to journald you need to run following command:
sudo systemctl edit fastnetmon
Then provide following information:
[Service] # Clear previous value ExecStart= ExecStart=/opt/fastnetmon/app/bin/fastnetmon --log_to_console
Then empty file based log file:
sudo cp /dev/null /var/log/fastnetmon/fastnetmon.log
Apply changes:
sudo systemctl daemon-reload sudo systemctl restart fastnetmon
After that FastNetMon will not log everything to /var/log/fastnetmon/fastnetmon.log and all logging will be delivered to journald:
sudo journalctl -u fastnetmon -f -n 100
Then you need to do same with traffic_db:
sudo systemctl edit traffic_db
And provide following:
[Service] # Clear previous value ExecStart= ExecStart=/opt/fastnetmon/app/bin/traffic_db --log_to_console
Then empty file based log file:
sudo cp /dev/null /var/log/fastnetmon/traffic_db.log
Apply changes:
sudo systemctl daemon-reload sudo systemctl restart traffic_db
After that traffic_db will not log everything to /var/log/fastnetmon/traffic_db.log and all logging will be delivered to journald:
sudo journalctl -u traffic_db -f -n 100