How to Change Location of IPTables Logs
Logs are a very important aspect of any firewall. In IPTables, linux provides such functionality as logging, but by default the logs go to a file /var/log/syslog
or /var/log/messages
. Sometimes it can be hard to find the information you need, as logs from the entire system are also found there.
If you want to change the file where IPTables logs into, you must configure IPTables rules to display the log prefix, next thing is configure RsysLog to get this prefix and send this to a custom log file that contains only iptables log information.
- Check if you have RsysLog installed and running
root@dbsysnet:/home/olivier# dpkg -l | grep rsyslog
ii rsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon
root@dbsysnet:/home/olivier# systemctl status rsyslog ● rsyslog.service - System Logging Service Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2020-07-20 17:59:56 UTC; 16min ago Docs: man:rsyslogd(8) http://www.rsyslog.com/doc/ Main PID: 813 (rsyslogd) Tasks: 4 (limit: 1111) CGroup: /system.slice/rsyslog.service └─813 /usr/sbin/rsyslogd -nJul 20 17:59:56 dbsysnet systemd[1]: Starting System Logging Service... Jul 20 17:59:56 dbsysnet systemd[1]: Started System Logging Service. Jul 20 17:59:56 dbsysnet rsyslogd[813]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.32.0 try http://www. Jul 20 17:59:56 dbsysnet rsyslogd[813]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.32.0] Jul 20 17:59:56 dbsysnet rsyslogd[813]: rsyslogd's groupid changed to 106 Jul 20 17:59:56 dbsysnet rsyslogd[813]: rsyslogd's userid changed to 102 Jul 20 17:59:56 dbsysnet rsyslogd[813]: [origin software="rsyslogd" swVersion="8.32.0" x-pid="813" x-info="http://www.rsyslog.com"] start
- Configure your IPTABLES rules with
--log-prefix
root@dbsysnet:/home/olivier# iptables -A INPUT -p tcp --dport 22 --syn -j LOG --log-prefix "[IPTABLES]: "
- Create configuration file for RsysLog
root@dbsysnet:/home/olivier# touch /etc/rsyslog.d/10-iptables.conf
- Open this file and paste below configuration and tne save file
:msg, contains, "[IPTABLES]: " -/var/log/firewall.log
& ~
Explanation:
First line check data log for word [IPTABLES] :
and if the word is found it will be sent to the file /var/log/firewall.log
Second line is responsible for stopping the log processing and sending it to the standard location in this case /var/log/syslog
or /var/log/messages
- Restart RsysLog service
root@dbsysnet:/home/olivier# systemctl restart rsyslog