-1

I am trying to get rsyslog to log to the following custom log file

/var/log/iptables.conf

instead of syslog.
Iptables has got logging enabled, here is an example log line outputted from iptables (taken from /var/log/syslog)

Apr 19 04:47:41 local-tester kernel: [221395.082051] iptables-denied: IN=eth1 OUT= MAC=01:00:5e:00:00:fb:00:80:92:87:56:b9:08:00 SRC=192.168.1.4 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=52488 PROTO=2

I have created a new rsyslog configuration file /etc/rsyslog.d/iptables.conf and entered in the following

# iptables logging
:msg, startswith, "iptables-denied: " /var/log/iptables.log

and restarted

sudo /etc/init.d/rsyslog restart

That didn't create the /var/log/iptables.log so I created that manually

Iptables log messages are still going to /var/log/syslog

Why am I still not getting any iptables log entries in custom log file: /var/log/iptables.log ?

Relevant info

OS is Ubuntu 14.04.
.
In case the pattern wasnt matching, I tried this config *.* /var/log/iptables.log - still nothing

the_velour_fog
  • 497
  • 2
  • 4
  • 14

1 Answers1

3

The messages aren't starting with iptables-denied: because [221395.082051] is actually part of the message. The kernel can be configured to produce log messages with or without a time stamp indicating how many seconds after boot a particular message was produced.

Once the message reaches syslog there is no longer any knowledge of the structure of the messages. It is just one long string, which happens to start with a number in square brackets.

If you want to match on contents of those strings you should perform the matching in a way that works the same regardless of whether the kernel produce messages with or without the time stamp such that your matching will keep working even if that setting is changed.

kasperd
  • 30,455
  • 17
  • 76
  • 124