Remove Iptables log from kern.log syslog messages
Solution 1
I'm not sure where the & ~
comes from, but at least the following should perform what you want:
# Iptables
:msg,contains,"IPT IN/DP: " -/var/log/iptables.log
:msg,contains,"IPT6 IN/DP: " -/var/log/iptables.log
:msg,contains,"IPT IN/DP: " ~
:msg,contains,"IPT6 IN/DP: " ~
Maybe not most elegant, but a similar config seems to work for me.
Solution 2
Do you have an example iptables rule you can post? You know that iptables can set the set the --log-level
or a --log-prefix
both of which you can use to filter messages to a specific log file.
By default iptables stuff is going to be directed to kern.info
. If you aren't using any options to set an alternate level you You can update your config for syslog to this.
*.*;auth,authpriv.none;\
kern.!info -/var/log/syslog
You could do a similar thing for kern.log, but keep in mind that this will also redirect other kern.info messages, not just iptables. So maybe something like this would meet your needs? The kern_info.log will probably be 99.9% iptables logs.
kern.*;kern.!info -/var/log/kern.log
kern.info -/var/log/kern_info.log
I have read that rsyslog has some pretty advanced filtering though. So you could probably set a --log-prefix
and do some advanced filtering with that instead of just using the service/severity for filtering.
Related videos on Youtube
user200790
Updated on September 18, 2022Comments
-
user200790 over 1 year
I'm having trouble with Iptables logs, i'm not able to get them out from kern.log, syslog and message files.
I added two rules in rsyslog.conf which redirect my messages to an "iptables.log" file but logs are also present in kern logs.
Here is my rsyslog.conf :
############### #### RULES #### ############### # Iptables :msg,contains,"IPT IN/DP: " -/var/log/iptables.log :msg,contains,"IPT6 IN/DP: " -/var/log/iptables.log & ~ # # First some standard log files. Log by facility. # auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none,cron.none -/var/log/syslog cron.* /var/log/cron.log daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log user.* -/var/log/user.log #(some other rules ....) mail,news.none -/var/log/messages
How can I do to log iptable dropped packet only in iptables.log and not in kern.log files?
-
Zoredache over 10 yearsDo you have an example iptables rule you can post? You know that iptables can set the set the
--log-level
or a--log-prefix
both of which you can use to filter messages to a specific log file.
-
-
user200790 over 10 yearsMy rule look like this (i have a second one in ipv6 table with the IPT6 IN/DP prefix) :
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 4 prefix "IPT IN/DP: "
DROP all -- 0.0.0.0/0 0.0.0.0/0
-
Alberto Spelta about 10 yearsAccording to rsyslog man page the line "& ~" says to delete the previous message otherwise it would be logged in kern.log and other kernel logging files.
-
zagrimsan about 10 years@AlbertoSpelta I don't spot anything mentioning
&
in the man page of rsyslog.conf in Debian 7.4... OTOH*.* ~
is mentioned to discard everything.