Thread: HOW TO: Create a Browser Logger

creating web browser logger


since i've been member of ubuntu forum i've come across quite few people requesting sort of utility or program observing traffic when using browser on internet. aim provide such 'utility' , following tutorial describes how this.

ubuntu supplies program ufw ( uncomplicated firewall ) managing firewall. ufw logs firewall activity on computer. gufw gui front end ufw many people use on ubuntu , linux mint configuring firewall.

ufw log data written file /var/log/ufw.log file can viewed ubuntu's log file viewer. log level details in ufw can set various levels ( low - full ) setting log level preferences in gufw. downside ufw writes it's firewall logs syslog, kern, messages ufw.log.

if adjust log levels high see ufw.log provide firewall data traffic on computer. include dns , mdns, ipp, icmp, pop, smtp, ipp, ( if using printer ), dhcp , whole lot more depending on services using. going through ufw.logs can nightmare shows blocked traffic, allowed traffic , shows audit data before making decision allow or block traffic.

make easier find web browser traffic in firewall logs need intercept browser log data being written ufw.log. copy data separate file. wanted stop firewall data filling syslog, kern , messages logs can increase ufw log level low high more detailed view of traffic on computer. in addition needed separate file logging blocked traffic didn't have scroll through ufw.log ( using ubuntu log file viewer ) find it.

ufw has special configuration file called 20-ufw.conf can found in etc/rsyslog.d folder. config file causes ufw write it's logs file ufw.log. need modify file create browser logger. backup original 20-ufw.conf file using sudo nautilus , select copy ( or whatever method prefer ) open 20-ufw.conf , delete it's contents , copy , paste file below. save new 20-ufw.conf file. apply changes either restart computer or run terminal , type:

sudo restart rsyslog

2 new log files created in /var/log folder... 1 called "ufwbrowser.log" , other "ufwblocks.log" can view these logs running ubuntu's log file viewer , select file on main menu , select open. scroll down list of log files , open both "ufwblocks.log" , "ufwbrowser.log" click on ufwbrowser.log ( in log file viewer ) open log file contents. fire firefox or whatever browser use , watch http , https traffic in log viewer in real time.

job done !!!


final notes ( please read )

if have never used gufw or ufw before recommend learn how use configure firewall before making changes 20-ufw.conf file. not intention provide information on how use gufw or provide information on how set firewalls. there many threads on topic can found in security section of ubuntu forums.

if familiar gufw....

run gufw , set log levels high or full( gufw edit>preferences ) ufw sends firewall activity firewall logs. if add own firewall rules using gufw make sure tick "show extended actions" box , select log. makes sure ufw logs new rule.

2 new log files have been created can grow quite size - browserlog. can reach many megabytes in size , cause log file viewer become sluggish , unresponsive if big. ufw.log file automatically rotated system not problem. ufwbrowser.log , ufwblocks.log need backed , deleted time time. apply sort of log rotation scheme these 2 files lose permanent record of internet activities if select method. choice you.

@ moment http , http traffic sent ufwbrowser log. modify file below add ftp ( 21 ) traffic , etc.

ufw.log still captures traffic on system did before including browser traffic , blocked traffic - no changes here except audit data removed.

have not used 'utility' without using gufw gui front end ufw. 'should' work ufw alone ( of don't use gufw ). maybe of guys on forum test out , give me feedback on subject.

enjoy
spartacux

copy , paste following 20-ufw.conf:

ps: had trouble pasting file forum & had edit in message box. hopefully, didn't corrupt data during paste operation !


#************************************************* *******
#web browser logger using gufw/ufw
#
# stops ufw logs going syslog, messages and
# kernal logs. creates log file for
# viewing blocked traffic , ignores ufw audit data
#
#created spartacux nov 2011
#
#the author accepts no liability file and
#users use @ own risk
#************************************************* *********

# log ufw blocked traffic separate log file #
:msg ,contains, "ufw block" /var/log/ufwblocks.log

# log http , https separate browser log #
:msg, regex, "ufw allow.*dpt=80" /var/log/ufwbrowser.log
:msg, regex, "ufw allow.*dpt=443" /var/log/ufwbrowser.log


# don't write audit data ufw logs #
:msg ,contains, "ufw audit" ~
&~

# keep ufw data ufw logs #
:msg ,contains, "[ufw" /var/log/ufw.log
&~

#************************************************* ***********
#notes:
#
#this file replaces /etc/rsyslog.d/20-ufw.conf
#and handles ufw data.
#
#if using gufw add own firewall rules then
#make sure set each rule log output by
#selecting advanced rule options , selecting
#show extended actions.
#
#also set gufw log levels high or full ( gufw
#preferences ) best out of ufw
#utility. can open "ufwbrowser.log" and
#"ufwblocks.log" ubuntu's log file viewer
#and see browser traffic in real time !!!
#
#i hope find logger useful
#spartacux
#
#************************************************* *************

Forum The Ubuntu Forum Community Other Discussion and Support Tutorials HOW TO: Create a Browser Logger

Ubuntu