journalctl shows removed iptables logs

Question

Im logging a lot with iptables and to put my logs in a separate file I have put a couple rules in /etc/rsyslog.d/iptables.conf

:msg, startswith, "iptables: " -/var/log/iptables.log
& ~
:msg, regex, "^\[ *[0-9]*\.[0-9]*\] iptables: " -/var/log/iptables.log
& ~

This removes the logs from /var/log/{kern.log,daemon.log,messages} but when I issue journalctl -xe all the iptables logs show up there - so what file does journalctl read from and how can I remove the iptables logs from it?

I feel this might be more appropriate on serverfault.com or superuser.com . — CB Bailey, Apr 30 '17 at 11:22
Is it possible to move the question? Or do I need to delete this and create a new at serverfault/superuser? — methuselah-0, Apr 30 '17 at 12:03

score 0 · Answer 1 · answered Apr 30 '17 at 18:23

The issue is that when using LOG as target in iptables the dmesg still gets filled up even when rsyslog deletes from kern.log etc. journalctl -xe shows this dmesg text. Seems like using ulog is the only way:

apt-get install ulogd2

On debian testing this auto-created systemd unit file and configuration file.

Then I used iptables rules like:

iptables -N LOG_DROP
iptables -A LOG_DROP -m limit --limit 5/m --limit-burst 10 -j NFLOG --nflog-group 0 --nflog-prefix "DROP "
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set -m comment --comment "Limit SSH IN" # add ip to recent list with --set.
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j LOG_DROP -m comment --comment "Limit SSH IN"

And voila, all logs are in the logfile at /var/log/ulog/syslogemu.log

journalctl shows removed iptables logs

1 Answers1