Re: how to log iptables

To: Gabriele Pongelli <le0n_84@hotmail.com>
Cc: debian-firewall@lists.debian.org
Subject: Re: how to log iptables
From: Andrew Kirkpatrick <andykirk@ubermonkey.net>
Date: Thu, 30 Mar 2006 00:30:26 +1030
Message-id: <[🔎] 442A92FA.7060905@ubermonkey.net>
In-reply-to: <[🔎] BAY108-F56C06CF49A48D3343B988CBD00@phx.gbl>
References: <[🔎] BAY108-F56C06CF49A48D3343B988CBD00@phx.gbl>

Gabriele Pongelli wrote:

is it possible to save the log in different files?!?
an example:
iptables -A INPUT -p tcp -j LOG --log-prefix "---[LOGGED (INPUT)]:--- "
save log to /var/log/iptables_input_tcp and
iptables -A INPUT -p udp -j LOG --log-prefix "---[LOGGED (INPUT)]:--- "
save log to /var/log/iptables_input_udp

It is possible, but not with iptables alone. The normal syslog daemoncan be configured to send log messages to different files based onfacility (iptables logs are always from the kernel) and level (iptablesdefaults to warning, but this can be changed with the --log-level option).

To discriminate further you might want to try using syslog-ng instead,which can apply a regular expression to match log messages and routethem appropriately. So you might have:

iptables -A INPUT -p tcp -j LOG --log-prefix "IPTABLES (INPUT TCP): "
iptables -A INPUT -p udp -j LOG --log-prefix "IPTABLES (INPUT UDP): "

And then in syslog-ng.conf:
# default source
source src { unix-dgram("/dev/log"); internal(); };

# match iptables logged packets
filter iptables_tcp_filter (
	facility(kern) and match("IPTABLES \\(INPUT TCP\\): ");
);
filter iptables_udp_filter (
	facility(kern) and match("IPTABLES \\(INPUT UDP\\): ");
);

# places to put iptables logs
destination iptables_tcp_dest ( file("/var/log/iptables_input_tcp"); );
destination iptables_udp_dest ( file("/var/log/iptables_input_udp"); );

# bring it all together

log ( source(src); filter(iptables_tcp_filter);destination(iptables_tcp_dest); );log ( source(src); filter(iptables_udp_filter);destination(iptables_udp_dest); );

I did this once myself and it worked OK, the above is untested and mayformat /dev/hda1 for all I know. As someone noted in an earlier post,iptables logging can easily create huge logfiles. If all you areinterested in is the connections and not every packet, you should beable to log just the packets starting each connection by inserting thefollowing options into the lines invoking iptables above:

-m state --state NEW

I hope this helps,
Andy Kirkpatrick

Reply to:

Follow-Ups:
- Re: how to log iptables
  - From: "Gabriele Pongelli" <le0n_84@hotmail.com>

References:
- Re: how to log iptables
  - From: "Gabriele Pongelli" <le0n_84@hotmail.com>

Prev by Date: Re: how to log iptables
Next by Date: Re: how to log iptables
Previous by thread: Re: how to log iptables
Next by thread: Re: how to log iptables
Index(es):
- Date
- Thread