Request: Security Logs

[encryptyd]

The default logging level for miniupnpd does not show add/delete/change logs for NAT and Firewall manipulations in the routing log file.

Form a security standpoint, this is highly undesirable. Security Operations Centers will want to monitor this activity in a SIEM (Security Information and Event Manager) since this code often runs on firewalls.

Please add this very critical security functionality for add/delete/change operations, ideally in standard RFC3164 syslog compliant output, and include at a minimum:

• internal port
• external port
• internal IP
• external IP
• protocol
• (Nice to Have) The name of the UPNP requesting agent if available (ex. demonware, etc.)

Thanks

[miniupnp]

I see there is already LOG_INFO :

• AddPortMapping() :

  miniupnp/miniupnpd/upnpsoap.c

  Line 528 in 0648118

  syslog(LOG_INFO, "%s: ext port %hu to %s:%hu protocol %s for: %s leaseduration=%u rhost=%s",

• DeletePortMapping() :

  miniupnp/miniupnpd/upnpsoap.c

  Line 896 in 0648118

  syslog(LOG_INFO, "%s: external port: %hu, protocol: %s",

you can use the -v command line to enable them.

There is no LOG_INFO AddAnyPortMapping

[miniupnp]

also :

• miniupnp/miniupnpd/upnpredirect.c

  Line 404 in 0648118

  syslog(LOG_INFO, "updating existing port mapping %hu %s (rhost '%s') => %s:%hu",

• miniupnp/miniupnpd/upnpredirect.c

  Line 432 in 0648118

  syslog(LOG_INFO, "redirecting port %hu to %s:%hu protocol %s for: %s",

• miniupnp/miniupnpd/upnpredirect.c

  Line 578 in 0648118

  syslog(LOG_INFO, "removing redirect rule port %hu %s", eport, protocol);

[encryptyd]

The request was really about the 'default' logging level, The -v option is known and understood. Ideally, miniupnpd should log firewall and NAT manipulation out of the box without having to take manual action such as restarting the service in verbose mode. Also, the logs are not really in a standard format, and could benefit from some standardization that makes them easier to digest in a SIEM. Things like variable=value, or ext_port=3075. Don't use spaces like "ext port %h" or "external port: %h".