Remove Iptables log from kern.log syslog messages

iptables logging rsyslog
12,681

Solution 1

I'm not sure where the & ~ comes from, but at least the following should perform what you want:

# Iptables
:msg,contains,"IPT IN/DP: " -/var/log/iptables.log
:msg,contains,"IPT6 IN/DP: " -/var/log/iptables.log
:msg,contains,"IPT IN/DP: " ~
:msg,contains,"IPT6 IN/DP: " ~

Maybe not most elegant, but a similar config seems to work for me.

Solution 2

Do you have an example iptables rule you can post? You know that iptables can set the set the --log-level or a --log-prefix both of which you can use to filter messages to a specific log file.

By default iptables stuff is going to be directed to kern.info. If you aren't using any options to set an alternate level you You can update your config for syslog to this.

*.*;auth,authpriv.none;\
        kern.!info              -/var/log/syslog

You could do a similar thing for kern.log, but keep in mind that this will also redirect other kern.info messages, not just iptables. So maybe something like this would meet your needs? The kern_info.log will probably be 99.9% iptables logs.

 kern.*;kern.!info              -/var/log/kern.log
 kern.info                      -/var/log/kern_info.log

I have read that rsyslog has some pretty advanced filtering though. So you could probably set a --log-prefix and do some advanced filtering with that instead of just using the service/severity for filtering.

Share:
12,681

Related videos on Youtube

user200790
Author by

user200790

Updated on September 18, 2022

Comments

  • user200790
    user200790 over 1 year

    I'm having trouble with Iptables logs, i'm not able to get them out from kern.log, syslog and message files.

    I added two rules in rsyslog.conf which redirect my messages to an "iptables.log" file but logs are also present in kern logs.

    Here is my rsyslog.conf :

    ###############
#### RULES ####
###############

# Iptables
:msg,contains,"IPT IN/DP: " -/var/log/iptables.log
:msg,contains,"IPT6 IN/DP: " -/var/log/iptables.log
& ~


#
# First some standard log files.  Log by facility.
#
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none,cron.none                -/var/log/syslog
cron.*                          /var/log/cron.log
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log

#(some other rules ....)
mail,news.none          -/var/log/messages

    How can I do to log iptable dropped packet only in iptables.log and not in kern.log files?

    • Zoredache
      Zoredache over 10 years
      Do you have an example iptables rule you can post? You know that iptables can set the set the --log-level or a --log-prefix both of which you can use to filter messages to a specific log file.
  • user200790
    user200790 over 10 years
    My rule look like this (i have a second one in ipv6 table with the IPT6 IN/DP prefix) : LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 4 prefix "IPT IN/DP: " DROP all -- 0.0.0.0/0 0.0.0.0/0
  • Alberto Spelta
    Alberto Spelta about 10 years
    According to rsyslog man page the line "& ~" says to delete the previous message otherwise it would be logged in kern.log and other kernel logging files.
  • zagrimsan
    zagrimsan about 10 years
    @AlbertoSpelta I don't spot anything mentioning & in the man page of rsyslog.conf in Debian 7.4... OTOH *.* ~ is mentioned to discard everything.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How can I log iptables in Ubuntu just in /var/log/firewall with rsyslogd
rsyslog template date/time format with seconds
rsyslog not rotating at fixed file size
Accidentally deleted /var/log/syslog
syslog not showing log levels in messages
Relationship of rsyslog and journald on Ubuntu 16.04
dmesg flooded with firewall logs
Configuring a custom log file for iptables
How to redirect kernel messages having the unique id substring into separate log file (using `rsyslog`)?
iptables logging not working?