0

I am trying to redirect iptables log to another file. Based upon my reading on the net, I did the following:

In my iptables rule, I have rules like:

iptables -A INPUT -s ... -j LOG --log-prefix "iptables@@" Then in the folder /etc/rsyslog.d, I created a file with the entries:

:msg,contains,"iptables@@" /var/log/iptables.log & ~ I also tried to have a blank line between the above two lines. I do get the iptables log entries now going to iptables.log file. But they ALSO go to /var/log/kern.log file. I want to suppress the later. How do I do this. I am running Ubuntu 14.04 LTS.

Sunny
  • 381
  • 1
  • 6
  • 16

2 Answers2

1

When your /etc/rsyslog.conf loads yours *.conf in /etc/rsyslog.d, it reads your files alphabetically. So, you need to make sure that your rules are in a file that comes before 50-default.conf, like:

01-myiptablesrules.conf

This way, your rules will be read first, and discard it. You should also use this syntax:

:msg, contains, "iptables@@" {
  *.* /var/log/iptables.log
  stop
}

*You should use stop instead of ~

Or if you don't have others kern.* than your iptables messages, you should modify 50-default.conf with:

kern.*            /var/log/iptables.log
Luiz Guilherme Littig Berger
  • 416
  • 2
  • 4
0

Is there a line in your rsyslog config files that prints the message to /var/log/kern.log? If so, post that code. Also post your rsyslog verison number. In the meantime, this could work:

:msg,contains,"iptables@@"             /var/log/iptables.log
:msg,contains,"iptables@@"             ~

Though I believe once you do that second line, rsyslog will disregard all messages containing iptables@@ so it can't be logged elsewhere (after that line).

drewyupdrew
  • 206
  • 1
  • 5