Configuring a custom log file for iptables
Solution 1
The problem is that there shouldn't be a space between - and /
Solution 2
This is a an alternative approach using ulogd
. I would suggest this mechanism as it stops the kernel logging mechanism -m LOG
uses (which has the grievous side effect of filling your dmesg
log as well).
First you'll need ulogd, which you can get with an apt-get install ulogd
. Edit your /etc/ulogd.conf
, enable this module (by removing the #
at the start of the line):
plugin="/usr/lib/ulogd/ulogd_LOGEMU.so"
and change/add the section [LOGEMU]
:
[LOGEMU]
file="/var/log/iptables.log"
sync=1
And then restart your ulogd with /etc/init.d/ulogd restart
. Then instead of -j LOG
use -j ULOG
on your iptables rules. The ULOG module has no concept of --log-level
so you can remove those options. It also uses --ulog-prefix
instead of --log-prefix
.
Solution 3
FYI:
& ~
is deprecated in the new rsyslog, you should use stop
instead.
/etc/rsyslog.d/10-iptables
if ( $msg contains 'IN=' and $msg contains 'OUT=' )
then {
/var/log/10-iptables.log
stop
}
/etc/logrotate.d/iptables
/var/log/iptables.log
{
rotate 30
daily
missingok
notifempty
delaycompress
postrotate
service rsyslog rotate > /dev/null
endscript
}
Note i set the prefix to 10- to catch it before it reach the default rules (50-defaults).
Solution 4
This can be possible using :
To disable iptables logs in syslog , do modification as below in /etc/rsyslog.d/50-default.conf
:
*.*;auth,authpriv.none;kern.*=!kern.warning -/var/log/syslog
To log in separate file; append :
kern.=warning -/var/log/iptables.log
then once restart syslog
or rsyslog
and tail
the logs
/etc/init.d/rsyslog restart
It's works in syslog
and rsyslog
also
Related videos on Youtube
The Illusive Man
Updated on September 18, 2022Comments
-
The Illusive Man over 1 year
I'm trying to log dropped packages to a custom file instead of
/var/log/messages
.To achieve this, I have added these two lines at the end of my configuration file:
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "IPTables-INPUT-Dropped: " --log-level 4 -A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "IPTables-OUTPUT-Dropped: " --log-level 4
This works because I have configured the INPUT and OUTPUT chains as DROP by default, so if the package does not meet any previous rule, it will be logged and dropped.
However, I cannot log them to a custom file. They log successful to
/var/log/messages
, but I want them to be logged on/var/log/iptables.log
. I've created the file/etc/rsyslog.d/iptables.conf
with the following content::msg, contains, "IPTables-INPUT-Dropped: " - /var/log/iptables.log & ~
then I restarted rsyslog,
/etc/init.d/rsyslog restart
and sent some packages I knew were going to be dropped.However, they are not logged in iptables.log, they are still being logged on/var/log/messages
.Which configuration is missing?
SOLVED The problem is that there shouldn't be an space between - and /
-
goldilocks over 10 yearsThat should work (I use it). However, I have it in
/etc/rsyslog.conf
before other directives, so that the message gets dropped before anything else picks it up. Try that andkill -HUP `pidof rsyslogd`
. Maybe loose the space at the end of the quoted string. -
The Illusive Man over 10 yearsI've added the first line to rsyslog.conf but still it doesn't work
-
-
The Illusive Man over 10 yearsit does not work.
-
Drav Sloan over 10 yearsDid you restart the ulogd after adding the entry? (
/etc/init.d/ulogd restart
as root) -
The Illusive Man over 10 yearsyeah, of course. Actually it is ulogd2 rather than ulogd
-
Drav Sloan over 10 yearsah you need another step will add it to the answer.
-
The Illusive Man over 10 yearsNop, it comes enabled by default.
-
Drav Sloan over 10 yearsThat's definitely all that is needed for ULOG to work, are you sure some earlier rule is not stopping it reaching the
-j ULOG line
? I tend to put my ULOG rules with matching rules as the following-j DENY
rule (where I want to log those DENY's of course). -
The Illusive Man over 10 yearsI'm pretty sure, in fact they are being logged successful on
/var/log/messages
if I don't use ulog. Using ulog, they are not (as you pointed out) -
Drav Sloan over 10 yearsVery strange, I've just gone through that setup on a vanilla Debian install and it is working (deny's logged to /var/log/iptables.log and dmesg saved of being spammed). Does moving the rule further up the ruleset make it log?
-
Drav Sloan over 10 yearsYou might of missed this because I added it as an edit to my previous comment: Does moving the rule further up the ruleset (i.e something like rule 1) make it log?
-
The Illusive Man over 10 yearsIf I put it the rule #1, it will log everything, not just dropped packets.My setup is: INPUT/OUTPUT default to DROP -> then a couple of rules accepting some packets -> and finally the logging rules. On this way, if a packet is not accepted by any rules, it will end up on the logging rule and then dropped.
-
Drav Sloan over 10 yearsYeah makes sense, I'm just wondering if you have a rule in amongst your "couple of rules" that DROP and so it's not getting as far the
-j ULOG
. -
machineaddict almost 10 years@Drav Sloan: your method works perfectly on Raspbian too