How to redirect kernel messages having the unique id substring into separate log file (using `rsyslog`)?
Solution 1
In addition on selector-based filtering, rsyslogd can filter on patterns found in log message properties. To accomplish what you are trying to do, you can create a property-based filter to match the string you are using in your iptables rules. If you were to use --log-prefix "unique_prefix: "
in your iptables rule, you would need to add this to rsyslog.conf:
:msg,startswith,"unique_prefix" /var/log/iptables
This rule will test log messages for your prefix and send them to /var/log/iptables (in addition to wherever else rsyslog is configured to send them). If you need to have the messages appear in /var/log/iptables but not elsewhere, place the new rule above others, and follow it with a line containing & ~
. Complete example:
:msg,startswith,"unique_prefix" /var/log/iptables
& ~
#
# The rest of my rules appear below
# ...
*.info;mail.none;authpriv.none;cron.none /var/log/messages
Rsyslog rules can have multiple actions. Subsequent actions are defined on new lines beginning with an ampersand (&
). In the example above, the first rule has two actions: send output to /var/log/iptables, and then discard message (~
). See rsyslog docs on actions and filters for more information on the rules in this answer
Edited to use startswith
rather than contains
for performance considerations. Since the iptables --log-prefix
is indeed a prefix, and thus will be at the start of the message.
Solution 2
My experience, given the nature of how the rsyslog.conf
file is parsed, the additional configuration lines in /etc/rsyslog.conf
must be before all other configuration lines. If added to the end of the file, the ip-tables logging will still be appended to /var/log/messages
and also re-directed to the /var/log/iptables.log
file.
Related videos on Youtube
mbaitoff
Updated on September 18, 2022Comments
-
mbaitoff over 1 year
I am using
iptables
's logging feature to debug my network activity. I use certain prefix with--log-prefix
parameter to uniquely identify messages in kernel log belonging toiptables
output, for example::IPT::LOG::
.How can I configure
rsyslog
to redirect messages tagged that way into a separate log file? Man page forrsyslog
looks too cryptic to me.-
Admin almost 13 years
-
-
mbaitoff almost 13 yearsSo in this case output will go to the both log files? How can I also indeed redirect the messages, so they don't appear in syslog, but in iptables' log only?
-
Eli Heady almost 13 yearsAdded more complete example and information about rule actions
-
mbaitoff over 12 yearsWell that was useful! I was wondering why I still have 'iptables' rubbish in system log in addition to dedicated log.
-
mivk over 8 yearsOn my Debian (7 or 8) systems, the msg doesn't start with the log prefix. So I needed this regex instead :
:msg, regex, "^\[ *[0-9]*\.[0-9]*\] MyPrefix"
to matchJan 23 18:11:35 myhost kernel: [607552.301334] MyPrefix IN=...