Force iptables to log messages to a different log file (Paste)

原文:http://www.cyberciti.biz/tips/force-iptables-to-log-messages-to-a-different-…

According to man page:
Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user defined chains.

By default, Iptables log message to a /var/log/messages file. However you can change this location. I will show you how to create a new logfile called /var/log/iptables.log. Changing or using a new file allows you to create better statistics and/or allows you to analyze the attacks.

Iptables default log file

For example, if you type the following command, it will display current iptables log from /var/log/messages file:
# tail -f /var/log/messages
Output:

Oct  4 00:44:28 debian gconfd (vivek-4435): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2

Oct  4 01:14:19 debian kernel: IN=ra0 OUT= MAC=00:17:9a:0a:f6:44:00:08:5c:00:00:01:08:00 SRC=200.142.84.36 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=18374 DF PROTO=TCP SPT=46040 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

Oct  4 00:13:55 debian kernel: IN=ra0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:18:de:55:0a:56:08:00 SRC=192.168.1.30 DST=192.168.1.255LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=13461 PROTO=UDP SPT=137 DPT=137 LEN=58

Procedure to log the iptables messages to a different log file

Open your /etc/syslog.conf file:
# vi /etc/syslog.conf
Append following line
kern.warning /var/log/iptables.log
Save and close the file.

Restart the syslogd (Debian / Ubuntu Linux):# /etc/init.d/sysklogd restartOn the other hand, use following command to restart syslogd under Red Hat/Cent OS/Fedora Core Linux:# /etc/init.d/syslog restart

Now make sure you pass the log-level 4 option with log-prefix to iptables. For example:
# DROP everything and Log it
iptables -A INPUT -j LOG –log-level 4
iptables -A INPUT -j DROP

For example, drop and log all connections from IP address 64.55.11.2 to your /var/log/iptables.log file:
iptables -A INPUT -s 64.55.11.2 -m limit --limit 5/m --limit-burst 7 -j LOG –log-prefix ‘** HACKERS **’ --log-level 4
iptables -A INPUT -s 64.55.11.2 -j DROP

Where,

  • –log-level 4: Level of logging. The level # 4 is for warning.
  • –log-prefix ‘*** TEXT ***’: Prefix log messages with the specified prefix (TEXT); up to 29 letters long, and useful for distinguishing messages in the logs.

You can now see all iptables message logged to /var/log/iptables.log file:
# tail -f /var/log/iptables.log

Tomorrow you will learn how to use this new log file to analyze logs.

Want to stay up to date with the latest Linux tips, news and announcements? Subscribe to our free e-mail newsletter or full RSS feed to get all updates. You can Email this page to a friend.

You may also be interested in…

Discussion on This Article:

  1. Paul Says: March 7th, 2007 at 12:54 am I have absolutely no idea what you are talking about when you get to this part:

    “Now make sure you pass the log-level 4 option with log-prefix to iptables.”

    What is a “log-level 4 option”? What is a “log-prefix”? Why do I want to do this?

    This is a huge problem in the Linux community, and the main reason most people steer clear of Linux: the people with all the know-how talk over the heads of everyone else, and won’t explain what the reason for doing something is, it’s “just do it, because I said to”.

  2. Joel Says: March 19th, 2007 at 7:23 pm Question: If I was to add

    kern.warning /var/log/iptables.log

    to ‘/etc/syslog.conf’ as stated above, does it then append anything at the “warning” level in the file ‘/var/log/iptables.log’, regardless of whether or not it has to do with IPTables?

    Thanks.

  3. Algol Says: March 19th, 2007 at 9:04 pm Paul,

    I don’t think this article was written as a ’step-by-step-iptables-how-to’… So the author might assume some familiarity with iptables.

    I invite you to read
    http://www.linuxguruz.com/iptables/howto/iptables-HOWTO-6.html#ss6.3
    Specially the section
    “Extensions to iptables: New Targets”
    There is the answer to your questions :)

  4. sciron Says: June 1st, 2007 at 11:47 pm Now make sure you pass the log-level 4 option with log-prefix to iptables. For example:
    # DROP everything and Log it
    iptables -A INPUT -j LOG –log-level 4

    No, it is just that some of us can actually read. The rest should steer clear of Linux.

  5. Shaun P Says: September 18th, 2007 at 5:40 pm Just to let you all know. Even though you are setting this to log to /var/log/iptables.log, it still logs into /var/log/messages.

    I am working on a fix for this.

  6. a.h.s. boy Says: November 9th, 2007 at 6:02 pm Shaun –

    There is usually a syslog.conf rule that sends *.info to /var/log/messages

    On my system (Fedora), it reads
    *.info;mail.none;authpriv.none;cron.none /var/log/messages

    I changed it to
    *.info;kern.!=warning;mail.none;authpriv.none;cron.none /var/log/messages

    and it stopped logging iptables stuff to the messages log.

    Note, however, that it will now put ANY “warning” level kernel messages into the iptables.log

Advertisement
This entry was written by opaperjam, posted on January 12, 2010 at 8:45 pm, filed under iptables and tagged . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

Post a Comment

Required fields are marked *

*
*

Follow

Get every new post delivered to your Inbox.