2

I'm having trouble with Iptables logs, i'm not able to get them out from kern.log, syslog and message files.

I added two rules in rsyslog.conf which redirect my messages to an "iptables.log" file but logs are also present in kern logs.

Here is my rsyslog.conf :

###############
#### RULES ####
###############

# Iptables
:msg,contains,"IPT IN/DP: " -/var/log/iptables.log
:msg,contains,"IPT6 IN/DP: " -/var/log/iptables.log
& ~


#
# First some standard log files.  Log by facility.
#
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none,cron.none                -/var/log/syslog
cron.*                          /var/log/cron.log
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log

#(some other rules ....)
mail,news.none          -/var/log/messages

How can I do to log iptable dropped packet only in iptables.log and not in kern.log files?

faker
  • 17,496
  • 2
  • 60
  • 70
user200790
  • 23
  • 1
  • 1
  • 3
  • Do you have an example iptables rule you can post? You know that iptables can set the set the `--log-level` or a `--log-prefix` both of which you can use to filter messages to a specific log file. – Zoredache Nov 27 '13 at 20:21

2 Answers2

3

I'm not sure where the & ~ comes from, but at least the following should perform what you want:

# Iptables
:msg,contains,"IPT IN/DP: " -/var/log/iptables.log
:msg,contains,"IPT6 IN/DP: " -/var/log/iptables.log
:msg,contains,"IPT IN/DP: " ~
:msg,contains,"IPT6 IN/DP: " ~

Maybe not most elegant, but a similar config seems to work for me.

zagrimsan
  • 327
  • 3
  • 13
  • According to rsyslog man page the line "& ~" says to delete the previous message otherwise it would be logged in kern.log and other kernel logging files. – Alberto Spelta Apr 15 '14 at 22:12
  • @AlbertoSpelta I don't spot anything mentioning `&` in the man page of rsyslog.conf in Debian 7.4... OTOH `*.* ~` is mentioned to discard everything. – zagrimsan Apr 16 '14 at 03:00
2

Do you have an example iptables rule you can post? You know that iptables can set the set the --log-level or a --log-prefix both of which you can use to filter messages to a specific log file.

By default iptables stuff is going to be directed to kern.info. If you aren't using any options to set an alternate level you You can update your config for syslog to this.

*.*;auth,authpriv.none;\
        kern.!info              -/var/log/syslog

You could do a similar thing for kern.log, but keep in mind that this will also redirect other kern.info messages, not just iptables. So maybe something like this would meet your needs? The kern_info.log will probably be 99.9% iptables logs.

 kern.*;kern.!info              -/var/log/kern.log
 kern.info                      -/var/log/kern_info.log

I have read that rsyslog has some pretty advanced filtering though. So you could probably set a --log-prefix and do some advanced filtering with that instead of just using the service/severity for filtering.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • My rule look like this (i have a second one in ipv6 table with the IPT6 IN/DP prefix) : `LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 4 prefix "IPT IN/DP: "` `DROP all -- 0.0.0.0/0 0.0.0.0/0` – user200790 Nov 27 '13 at 21:42