How to get a linux network log?
We have a java server running in linux at a specific port that accepts persistent connections for thousands and thousands of users. Recently our clients are not able to connect with a time out error. We suspect the traffic is getting too high but our java log actually shows that not many are connected in per second. We suspect that could it be that too many are trying at the same time and they are basically dropped at the OS level and therefore the java program never really gets a chance to accept the connection? Is there some sort of log in linux that can show someone trying to hit a socket?
5 Answers 5
iptables -I INPUT -p tcp —dport some_port -j LOG then
tail -f /var/log/messages
Afterwards, to see how much data has been hit by that rule: iptables -L -n -v
Or you could run tcpdump and grep out the ports.
+1. A slight modification might work better to catch just the new connection attempts: iptables -I INPUT -p tcp —dport some_port -m state —state NEW . Note that unless you’re interested in the details of each connection attempt, omitting -j LOG avoids spamming the system log file with lots of unneeded data.
Upon setting this up, prepare to see a stomach-churningly high number of supposedly non-malicious security crawlers connecting to your server, like implant-scanner-victims-will-be-notified.threatsinkhole.com , stretchoid.com , jobqueue-listener.jobqueue.netcraft.com-digitalocean , . good to know.
Logging outgoing connections as they happen
Is there a way to log to file all the outgoing connections that a process creates? I am aware of netstat but that seems to be more of a snapshot of a point in time rather than something that runs and logs information over a period. I only need the IP or hostname, port and the process making the connection.
Well, you could do something like watch -n 2 netstat in the meantime, but that’s not a proper solution, is it.
4 Answers 4
On Linux, you can set up the audit subsystem to log every attempt to establish a network connection. For information about the audit subsystem, read the auditctl man page or this tutorial or other examples on this site. Install your distribution’s auditd package if necessary, then
auditctl -A exit,always -S connect The logs are in /var/log/audit/audit.log on all the distributions that I know of. You can also search them with ausearch .
I needed to identify which process was making an outgoing connection. This did it instantly. To avoid flooding the logs, remove the rule afterward: auditctl -d exit,always -S connect
This seems to log a huge amount of data, though having tried a curl — the ip address was NOT logged in the /var/log/audit/audit.log file.
If you’re able to install a custom kernel, you should have a look at SystemTap. There are plenty of examples how to trace network activity.
On Linux, you can use ip_conntrack to accomplish this. It’s a connection tracking module, used normally to monitor connections for oddly behaving protocols (like FTP) to be managed by a firewall/NAT box.
modprobe ip_conntrack cat /proc/net/ip_conntrack You can grep the pseudo-file to see established connections, and further grep the source IP to see when it originates from your box.
I would look into using tcpdump on the outbound interface looking at the outbound SYN requests.
If you feel really adventurous you could make utilities like: strace or truss report all connect system calls while tracing the execution of the program but this is a bit more dangerous and has drawbacks when dealing with multithreaded processes.
You must log in to answer this question.
Linked
Related
Hot Network Questions
Subscribe to RSS
To subscribe to this RSS feed, copy and paste this URL into your RSS reader.
Site design / logo © 2023 Stack Exchange Inc; user contributions licensed under CC BY-SA . rev 2023.7.14.43533
Linux is a registered trademark of Linus Torvalds. UNIX is a registered trademark of The Open Group.
This site is not affiliated with Linus Torvalds or The Open Group in any way.
By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy.
Where are network manager logs? (16.04)
I have new Ubuntu and I want to debug some errors in network settings. I cannot find log for NetworkManager. /var/log/syslog and /var/log/daemon.log — what people recommend on this stack exchange in other questions — are both empty. Python script from this page — https://wiki.ubuntu.com/DebuggingNetworkManager — doesn’t exist anymore. sudo service network-manager status displays a few lines of the log, but not all.
2 Answers 2
journalctl -u NetworkManager.service -u , —unit=UNIT|PATTERN Show messages for the specified systemd unit UNIT (such as a service unit), or for any of the units matched by PATTERN. [. ]
Yes. Since the question is on askubuntu, it talks about systemd, because all ubuntu installations are with systemd (except for ancient ones).
What are You saying exactly? That Ubuntu 14.04 is not Ubuntu? Or users of those «ancient» versions, as You say, are not accepted in this StackExchange network site? You did ask the question without specifying Your Ubuntu version, so.
You can also try this one. You’ll see some Network Manager state changes with this one.
sudo journalctl -fu NetworkManager Mar 15 09:06:37 macbookair NetworkManager[1098]: [xxx] keyfile: add connection in-memory (xxx,"tun0") Mar 15 09:06:37 macbookair NetworkManager[1098]: [xxx] device (tun0): state change: unavailable -> disconnected (reason 'connection-assumed', sys-iface-state: 'external') Mar 15 09:06:37 macbookair NetworkManager[1098]: [xxx] device (tun0): Activation: starting connection 'tun0' (xxx) -f , —follow Show only the most recent journal entries, and continuously print new entries as they are appended to the journal.