Re: how to log iptables
Gabriele Pongelli wrote:
is it possible to save the log in different files?!?
an example:
iptables -A INPUT -p tcp -j LOG --log-prefix "---[LOGGED (INPUT)]:--- "
save log to /var/log/iptables_input_tcp and
iptables -A INPUT -p udp -j LOG --log-prefix "---[LOGGED (INPUT)]:--- "
save log to /var/log/iptables_input_udp
It is possible, but not with iptables alone. The normal syslog daemon
can be configured to send log messages to different files based on
facility (iptables logs are always from the kernel) and level (iptables
defaults to warning, but this can be changed with the --log-level option).
To discriminate further you might want to try using syslog-ng instead,
which can apply a regular expression to match log messages and route
them appropriately. So you might have:
iptables -A INPUT -p tcp -j LOG --log-prefix "IPTABLES (INPUT TCP): "
iptables -A INPUT -p udp -j LOG --log-prefix "IPTABLES (INPUT UDP): "
And then in syslog-ng.conf:
# default source
source src { unix-dgram("/dev/log"); internal(); };
# match iptables logged packets
filter iptables_tcp_filter (
facility(kern) and match("IPTABLES \\(INPUT TCP\\): ");
);
filter iptables_udp_filter (
facility(kern) and match("IPTABLES \\(INPUT UDP\\): ");
);
# places to put iptables logs
destination iptables_tcp_dest ( file("/var/log/iptables_input_tcp"); );
destination iptables_udp_dest ( file("/var/log/iptables_input_udp"); );
# bring it all together
log ( source(src); filter(iptables_tcp_filter);
destination(iptables_tcp_dest); );
log ( source(src); filter(iptables_udp_filter);
destination(iptables_udp_dest); );
I did this once myself and it worked OK, the above is untested and may
format /dev/hda1 for all I know. As someone noted in an earlier post,
iptables logging can easily create huge logfiles. If all you are
interested in is the connections and not every packet, you should be
able to log just the packets starting each connection by inserting the
following options into the lines invoking iptables above:
-m state --state NEW
I hope this helps,
Andy Kirkpatrick
Reply to: