NinjaFirewall WP+ (3.5.4), Pro and Pro+ (3.2.12) introduce a long awaited feature, Syslog logging:
Syslog is a way for network devices to send event messages to a logging server – usually known as a Syslog server. The Syslog protocol is supported by a wide range of devices and can be used to log different types of events. wikipedia
This option can be enabled from the “NinjaFirewall > Firewall Log” page:
It will redirect all events to the syslog server (LOG_USER facility). The logline uses the following format:
ninjafirewall[AA]: BB: #CCCCCC: Some event from DD on EE
Where:
- AA: the process ID (PID).
- BB: the level of severity as it appears in the firewall log. It can be
CRITICAL,HIGH,MEDIUM,INFO,UPLOADorDEBUG_ON. - CCCCCCC: the 7-digit incident ID.
- DD: the user IPv4 or IPv6 address.
- EE: the website (sub-)domain name.
Sample loglines:
# tail -n 4 /var/log/user.log Oct 3 01:53:51 www ninjafirewall[19054]: INFO: #2498192: Logged in administrator from 12.24.56.78 on mysite.com Oct 3 02:01:56 www ninjafirewall[19054]: INFO: #1522694: Firewall log deleted by admin from 12.24.56.78 on mysite.com Oct 3 14:02:20 www ninjafirewall[18270]: HIGH: #7167442: Cross-site scripting from fe80::6e88:14ff:fe3e:86f0 on blog.domain.com Oct 3 15:40:48 www ninjafirewall[19058]: CRITICAL: #2601781: ASCII character 0x00 (NULL byte) from fe80::6e88:14ff:fe3e:86f0 on blog.domain.com
If you are using NinjaFirewall WP+ Edition, this feature does not apply to the brute-force protection which can be set up separately to write events to the server authentication log instead. See the “Login Protection” page.