MAAS logging reference

Pinpoint issues with four types of log files:

  1. Firewall logs
  2. Web server logs
  3. MAAS log files
  4. System log files

See How to use logging for usage instructions.

Firewall logs

Ubuntu’s UncomplicatedFirewall (UFW) serves as a front-end for iptables. To secure your MAAS setup, regularly review logs located in /var/log/ufw*.

Find red flags in UFW and iptables logs by looking for key patterns:

  • Be wary of traffic probing unused ports, which may indicate an active port scanner:
    blocked incoming tcp connection request from 96.39.208.43:8240 to 128.17.92.85:6002

  • Cross-reference unusual port numbers against databases of known hacker tools.

  • Look for repeated, failed access attempts from the same domain, IP, or subnet:

    blocked incoming tcp connection request from 96.39.208.43:49343 to 64.242.119.18:31337
  • Examine repeated, errant essages from within your network, which may indicate a Trojan horse:.
    blocked outgoing tcp packet from 192.168.23.100:5240 to 96.38.231.18:443 as FIN:ACK received, but there is no active connection.

Web server logs

Use a log analysis tool, or inspect raw logs stored in paths like /var/log/httpd/ or /var/log/apache2, looking for:

  • Multiple, rapid-fire requests
  • Multiple failed login attempts
  • Requests for non-existent pages
  • Signs of SQL injection and Web shell attempts

MAAS logs

Pkg Fmt Look for failed logins in…
Snap /var/snap/maas/common/log/regiond.log
Packages /var/log/maas/regiond.log

For example, a legitimate login request might resemble:

    2020-03-31 21:17:56 regiond: [info] 10.132.172.1 GET /MAAS/accounts/login/ HTTP/1.1 --> 200 OK

System logs

Systemd log commands (MAAS 3.5 and Newer)

Component Snap Command Debian Command
Regiond journalctl -u snap.maas.pebble -t maas-regiond journalctl -u maas-regiond
Rackd journalctl -u snap.maas.pebble -t maas-rackd journalctl -u maas-rackd
API Server journalctl -u snap.maas.pebble -t maas-apiserver journalctl -u maas-apiserver
Proxy (squid) journalctl -u snap.maas.pebble -t maas-proxy journalctl -u maas-proxy
NTP (chrony) journalctl -u snap.maas.pebble -t chronyd journalctl -u chrony

Log file locations (Before MAAS 3.5)

Component Snap Location Debian Location
Regiond /var/snap/maas/common/log/regiond.log /var/log/maas/regiond.log
Rackd /var/snap/maas/common/log/rackd.log /var/log/maas/rackd.log
maas.log /var/snap/maas/common/log/maas.log /var/log/maas/maas.log

Last updated 3 hours ago.

Help improve this document in the forum.