How to redirect kernel messages having the unique id substring into separate log file (using `rsyslog`)?

logs iptables rsyslog

5,162

Solution 1

In addition on selector-based filtering, rsyslogd can filter on patterns found in log message properties. To accomplish what you are trying to do, you can create a property-based filter to match the string you are using in your iptables rules. If you were to use --log-prefix "unique_prefix: " in your iptables rule, you would need to add this to rsyslog.conf:

:msg,startswith,"unique_prefix" /var/log/iptables

This rule will test log messages for your prefix and send them to /var/log/iptables (in addition to wherever else rsyslog is configured to send them). If you need to have the messages appear in /var/log/iptables but not elsewhere, place the new rule above others, and follow it with a line containing & ~. Complete example:

:msg,startswith,"unique_prefix" /var/log/iptables
& ~
#
# The rest of my rules appear below
# ...
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

Rsyslog rules can have multiple actions. Subsequent actions are defined on new lines beginning with an ampersand (&). In the example above, the first rule has two actions: send output to /var/log/iptables, and then discard message (~). See rsyslog docs on actions and filters for more information on the rules in this answer

Edited to use startswith rather than contains for performance considerations. Since the iptables --log-prefix is indeed a prefix, and thus will be at the start of the message.

Solution 2

My experience, given the nature of how the rsyslog.conf file is parsed, the additional configuration lines in /etc/rsyslog.conf must be before all other configuration lines. If added to the end of the file, the ip-tables logging will still be appended to /var/log/messages and also re-directed to the /var/log/iptables.log file.

5,162

mbaitoff

Updated on September 18, 2022

Comments

mbaitoff over 1 year

I am using iptables's logging feature to debug my network activity. I use certain prefix with --log-prefix parameter to uniquely identify messages in kernel log belonging to iptables output, for example ::IPT::LOG::.

How can I configure rsyslog to redirect messages tagged that way into a separate log file? Man page for rsyslog looks too cryptic to me.
- Admin almost 13 years
  
  For answers to the same problem for syslog and syslog-ng, see this thread about the same problem.
mbaitoff almost 13 years

So in this case output will go to the both log files? How can I also indeed redirect the messages, so they don't appear in syslog, but in iptables' log only?
Eli Heady almost 13 years

Added more complete example and information about rule actions
mbaitoff over 12 years

Well that was useful! I was wondering why I still have 'iptables' rubbish in system log in addition to dedicated log.
mivk over 8 years

On my Debian (7 or 8) systems, the msg doesn't start with the log prefix. So I needed this regex instead : :msg, regex, "^\[ *[0-9]*\.[0-9]*\] MyPrefix" to match Jan 23 18:11:35 myhost kernel: [607552.301334] MyPrefix IN=...