2

I'm currently trying to split out some of my IPTables logging from kern.log into a file called iptables.log. Basically, I have several different adapters and I'm logging requests to port 80 on each one. These rules are working and outputting fine to kern.log. Here's an example:

-A INPUT -d 192.168.100.10 -p tcp -m tcp --dport 80 -j LOG --log-prefix "[10010] REQUEST Port 80: " --log-level 7

I have done the following to try to split out what I want:

  • created an iptables.log files in /var/log that has 644 permissions
  • created an iptables.conf file in /etc/rsyslog.d/ with the following contents: :msg,contains,"[10010] REQUEST Port 80: " -/var/log/iptables.log
  • edited /etc/rsyslog.conf to contain the following line: kern.debug /var/log/iptables.log
  • restarted rsyslog: service rsyslog restart

Despite this, my "[10010]" stuff is still being written to the kern.log file instead of iptables.log.

Any help on this matter would be greatly appreciated.

tparrott
  • 185
  • 1
  • 3
  • 9
  • Try renaming `iptables.conf` to `11-iptables.conf`, and restart syslog. There might be other rsyslog filtering rules that got triggered before the `:msg,contains` rule you're using. Prepending `11-` should help your rule to start quite early. – pepoluan Aug 01 '14 at 14:47
  • No dice. For the record, the only other file in `/etc/rsyslog.d` is `50-Default.conf`. – tparrott Aug 01 '14 at 14:56
  • Hmmm... if you cut the match string to `"[10010]"`, does it work? – pepoluan Aug 01 '14 at 15:14
  • Or try `startswith` instead of `contains` – pepoluan Aug 01 '14 at 15:15
  • Changed statement to `:msg,startswith,"[10010] " -/var/log/iptables.log` and got nothing.... RAWR – tparrott Aug 01 '14 at 15:33
  • I feel your pain... last ditch suggestion: Try `:rawmsg,contains` instead of `:msg,contains` ... if this doesn't work, I give up. – pepoluan Aug 01 '14 at 15:37
  • Negative on that one too. Thanks so much for your help. I'm going to go self-immolate now. – tparrott Aug 01 '14 at 15:52

1 Answers1

0

Finally got access to a testing Linux system.

Suddenly I remembered: rsyslogd writes syslogs as the syslog user, not as root. (Verified using ps aux | grep [r]syslog)

So, chown syslog.syslog /var/log/iptables.log should fix the problem.

(Solution tested and working on my system)

pepoluan
  • 5,038
  • 4
  • 47
  • 72
  • Glad it worked. I decided to not give up because (1) I once had the same problem, and (2) I solved it. But I did not remember exactly how I solved it, hence the several failed attempts in the Q's comments :) – pepoluan Aug 05 '14 at 15:31