Configuring a custom log file for iptables

debian logs iptables rsyslog

20,957

Solution 1

The problem is that there shouldn't be a space between - and /

Solution 2

This is a an alternative approach using ulogd. I would suggest this mechanism as it stops the kernel logging mechanism -m LOG uses (which has the grievous side effect of filling your dmesg log as well).

First you'll need ulogd, which you can get with an apt-get install ulogd. Edit your /etc/ulogd.conf, enable this module (by removing the # at the start of the line):

plugin="/usr/lib/ulogd/ulogd_LOGEMU.so"

and change/add the section [LOGEMU]:

[LOGEMU]
file="/var/log/iptables.log"
sync=1

And then restart your ulogd with /etc/init.d/ulogd restart. Then instead of -j LOG use -j ULOG on your iptables rules. The ULOG module has no concept of --log-level so you can remove those options. It also uses --ulog-prefix instead of --log-prefix.

Solution 3

FYI:

& ~ is deprecated in the new rsyslog, you should use stop instead.

/etc/rsyslog.d/10-iptables

if ( $msg contains 'IN=' and $msg contains 'OUT=' ) 
then { 
    /var/log/10-iptables.log
    stop
}

/etc/logrotate.d/iptables

/var/log/iptables.log
{
        rotate 30
        daily
        missingok
        notifempty
        delaycompress

        postrotate
                service rsyslog rotate > /dev/null
        endscript
}

Note i set the prefix to 10- to catch it before it reach the default rules (50-defaults).

Solution 4

This can be possible using :

To disable iptables logs in syslog , do modification as below in /etc/rsyslog.d/50-default.conf:

*.*;auth,authpriv.none;kern.*=!kern.warning             -/var/log/syslog

To log in separate file; append :

kern.=warning -/var/log/iptables.log

then once restart syslog or rsyslog and tail the logs

/etc/init.d/rsyslog restart

It's works in syslog and rsyslog also

View more solutions

20,957

The Illusive Man

Updated on September 18, 2022

Comments

The Illusive Man over 1 year
I'm trying to log dropped packages to a custom file instead of /var/log/messages.

To achieve this, I have added these two lines at the end of my configuration file:
```
    -A INPUT -m limit --limit 5/min -j LOG --log-prefix "IPTables-INPUT-Dropped: " --log-level 4
    -A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "IPTables-OUTPUT-Dropped: " --log-level 4
```
This works because I have configured the INPUT and OUTPUT chains as DROP by default, so if the package does not meet any previous rule, it will be logged and dropped.

However, I cannot log them to a custom file. They log successful to /var/log/messages, but I want them to be logged on /var/log/iptables.log. I've created the file /etc/rsyslog.d/iptables.conf with the following content:
```
    :msg, contains, "IPTables-INPUT-Dropped: " - /var/log/iptables.log
    & ~
```
then I restarted rsyslog, /etc/init.d/rsyslog restart and sent some packages I knew were going to be dropped.However, they are not logged in iptables.log, they are still being logged on /var/log/messages.

Which configuration is missing?

SOLVED The problem is that there shouldn't be an space between - and /
- goldilocks over 10 years
  
  That should work (I use it). However, I have it in /etc/rsyslog.conf before other directives, so that the message gets dropped before anything else picks it up. Try that and kill -HUP `pidof rsyslogd`. Maybe loose the space at the end of the quoted string.
- The Illusive Man over 10 years
  
  I've added the first line to rsyslog.conf but still it doesn't work
The Illusive Man over 10 years

it does not work.
Drav Sloan over 10 years

Did you restart the ulogd after adding the entry? (/etc/init.d/ulogd restart as root)
The Illusive Man over 10 years

yeah, of course. Actually it is ulogd2 rather than ulogd
Drav Sloan over 10 years

ah you need another step will add it to the answer.
The Illusive Man over 10 years

Nop, it comes enabled by default.
Drav Sloan over 10 years

That's definitely all that is needed for ULOG to work, are you sure some earlier rule is not stopping it reaching the -j ULOG line? I tend to put my ULOG rules with matching rules as the following -j DENY rule (where I want to log those DENY's of course).
The Illusive Man over 10 years

I'm pretty sure, in fact they are being logged successful on /var/log/messages if I don't use ulog. Using ulog, they are not (as you pointed out)
Drav Sloan over 10 years

Very strange, I've just gone through that setup on a vanilla Debian install and it is working (deny's logged to /var/log/iptables.log and dmesg saved of being spammed). Does moving the rule further up the ruleset make it log?
Drav Sloan over 10 years

You might of missed this because I added it as an edit to my previous comment: Does moving the rule further up the ruleset (i.e something like rule 1) make it log?
The Illusive Man over 10 years

If I put it the rule #1, it will log everything, not just dropped packets.My setup is: INPUT/OUTPUT default to DROP -> then a couple of rules accepting some packets -> and finally the logging rules. On this way, if a packet is not accepted by any rules, it will end up on the logging rule and then dropped.
Drav Sloan over 10 years

Yeah makes sense, I'm just wondering if you have a rule in amongst your "couple of rules" that DROP and so it's not getting as far the -j ULOG.
machineaddict almost 10 years

@Drav Sloan: your method works perfectly on Raspbian too