Syslog logging with NinjaFirewall.

NinjaFirewall WP+ (3.5.4), Pro and Pro+ (3.2.12) introduce a long awaited feature, Syslog logging:

Syslog is a way for network devices to send event messages to a logging server – usually known as a Syslog server. The Syslog protocol is supported by a wide range of devices and can be used to log different types of events. wikipedia

This option can be enabled from the “NinjaFirewall > Firewall Log” page:

It will redirect all events to the syslog server (LOG_USER facility). The logline uses the following format:

ninjafirewall[AA]: BB: #CCCCCC: Some event from DD on EE


  • AA: the process ID (PID).
  • BB: the level of severity as it appears in the firewall log. It can be CRITICAL, HIGH, MEDIUM, INFO, UPLOAD or DEBUG_ON.
  • CCCCCCC: the 7-digit incident ID.
  • DD: the user IPv4 or IPv6 address.
  • EE: the website (sub-)domain name.

Sample loglines:

# tail -n 4 /var/log/user.log
Oct  3 01:53:51 www ninjafirewall[19054]: INFO: #2498192: Logged in administrator from on
Oct  3 02:01:56 www ninjafirewall[19054]: INFO: #1522694: Firewall log deleted by admin from on
Oct  3 14:02:20 www ninjafirewall[18270]: HIGH: #7167442: Cross-site scripting from fe80::6e88:14ff:fe3e:86f0 on
Oct  3 15:40:48 www ninjafirewall[19058]: CRITICAL: #2601781: ASCII character 0x00 (NULL byte) from fe80::6e88:14ff:fe3e:86f0 on

If you are using NinjaFirewall WP+ Edition, this feature does not apply to the brute-force protection which can be set up separately to write events to the server authentication log instead. See the “Login Protection” page.