This is a little post explaining how to log the uid and guid of the user who is making a connection in a server:
iptables -N log_traffic iptables -I OUTPUT 1 -p tcp -m multiport --dports 80,443 -m state --state NEW -j log_traffic iptables -A log_traffic -j LOG --log-uid --log-prefix "iptables: "
Explanation:
- Create a new iptables chain log_traffic
- Redirect all traffic from OUTPUT to log_traffic chain if the connection destination port is http or https.
- Log all traffic in log_traffic chain including the user uid/gid.
with rsyslog identify the iptables traffic and put it in a separate log file. Edit /etc/rsyslog.conf and add the following line:
:msg, contains, "iptables: " -/var/log/iptables.log
You will see traces like this with the uid and gid of the user making the connection:
Oct 22 14:44:54 host4sx56 kernel: [6828668.226415] iptables: IN= OUT=eth355 SRC=192.168.1.2 DST=172.17.16.52 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=11754 DF PROTO=TCP SPT=35734 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 UID=3106 GID=3106