First of all I would like to apologise in case the answer to this question is already in the forum or help. The question: is there a way to correlate a log event (entry) to the rule that fired it?
When the number of rules is increasing, it would be helpful to know the correlation between log events and rules, so the proper rule can be adjusted (without -manually- searching through the list or rules).
I was creating some rules for my networkdrive NAS system (see networkdrive topic) and what I noticed is a checkmark in the Global Rules: “log as firewall event if this rule is fired” Is this what you are looking for?
Actually the question is a different one (I have no problem logging firewall events): when viewing a Firewall Event, is there a way to know which rule fired the event?
Normally, if I go through the list I will find the rule responsible for each event, but it would help to have this information without “manually” looking for it (if there are many rules it can be a bit more difficult than it sounds). Especially for the Global Rules, which (as I understand it) are filled as “Windows operating system” for the “Application” column.
Each Firewall Event has the following columns: Application, Action, Protocol, Source IP, Source Port, Destination IP, Destination Port, and Date/Time. What I’m looking for is a column specifying the Rule that fired the event. If there is no way to know the rule, then perhaps this is a feature request.
Somehow i never had a problem to figure this out. If you dont double cross rules, it should be clear enough which it was.
Like “block IP in any any” as global rule. Would appear in log as “system” or the other unspecific name. Because it is fired before any program could be related to this event.
Indeed, you can look for it and will eventually find it, but my rule set is a bit long and maybe i’m used to other firewalls (e.g. ipfw), where the rule is in the logs. It also makes sense.
For application rules its allready naming it.
For global rules, as long as you keep the rules “un-crossed”, you could determine which one causes what.
I made some rules in global. And i have been able to see the causing rule by the logged effect.
You are right, it would be a good feature to have the name of the rule in the log.
But just make the rules unique. Theres no need anyway to make two rules which cross each other.
If you want, tell an example of a (anonymized) log, and the correlating rules which arent clear to be the cause.