Force iptables to log messages to a different log file

by on October 3, 2006 · 40 comments· LAST UPDATED February 23, 2008

in , ,

According to man page:
Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user defined chains.

By default, Iptables log message to a /var/log/messages file. However you can change this location. I will show you how to create a new logfile called /var/log/iptables.log. Changing or using a new file allows you to create better statistics and/or allows you to analyze the attacks.

Iptables default log file

For example, if you type the following command, it will display current iptables log from /var/log/messages file:
# tail -f /var/log/messages
Output:

Oct  4 00:44:28 debian gconfd (vivek-4435): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2
Oct  4 01:14:19 debian kernel: IN=ra0 OUT= MAC=00:17:9a:0a:f6:44:00:08:5c:00:00:01:08:00 SRC=200.142.84.36 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=18374 DF PROTO=TCP SPT=46040 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Oct  4 00:13:55 debian kernel: IN=ra0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:18:de:55:0a:56:08:00 SRC=192.168.1.30 DST=192.168.1.255LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=13461 PROTO=UDP SPT=137 DPT=137 LEN=58

Procedure to log the iptables messages to a different log file

Open your /etc/syslog.conf file:
# vi /etc/syslog.conf
Append following line
kern.warning /var/log/iptables.log
Save and close the file.

Restart the syslogd (Debian / Ubuntu Linux):# /etc/init.d/sysklogd restartOn the other hand, use following command to restart syslogd under Red Hat/Cent OS/Fedora Core Linux:# /etc/init.d/syslog restart

Now make sure you pass the log-level 4 option with log-prefix to iptables. For example:
# DROP everything and Log it
iptables -A INPUT -j LOG --log-level 4
iptables -A INPUT -j DROP

For example, drop and log all connections from IP address 64.55.11.2 to your /var/log/iptables.log file:
iptables -A INPUT -s 64.55.11.2 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix '** HACKERS **'--log-level 4
iptables -A INPUT -s 64.55.11.2 -j DROP

Where,

  • --log-level 4: Level of logging. The level # 4 is for warning.
  • --log-prefix '*** TEXT ***': Prefix log messages with the specified prefix (TEXT); up to 29 letters long, and useful for distinguishing messages in the logs.

You can now see all iptables message logged to /var/log/iptables.log file:
# tail -f /var/log/iptables.log

Updated for accuracy.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 40 comments… read them below or add one }

1 Paul March 7, 2007 at 12:54 am

I have absolutely no idea what you are talking about when you get to this part:

“Now make sure you pass the log-level 4 option with log-prefix to iptables.”

What is a “log-level 4 option”? What is a “log-prefix”? Why do I want to do this?

This is a huge problem in the Linux community, and the main reason most people steer clear of Linux: the people with all the know-how talk over the heads of everyone else, and won’t explain what the reason for doing something is, it’s “just do it, because I said to”.

Reply

2 Thomas Polliard October 10, 2011 at 9:37 am

Try google searching for iptables logging. The main reason *nix people do not explain every detail is that the assumption is that a good sysadmin will man/google search. Though in this case the writer offered the answer to your question with the code block above the –log-level text As to why. Iptables does not log by default you therefore must tell it to log. You want to log if you care to see what was blocked. Very useful when users complain that they can’t get to some of your servers resources.

Reply

3 Joel March 19, 2007 at 7:23 pm

Question: If I was to add

kern.warning /var/log/iptables.log

to ‘/etc/syslog.conf’ as stated above, does it then append anything at the “warning” level in the file ‘/var/log/iptables.log’, regardless of whether or not it has to do with IPTables?

Thanks.

Reply

4 Algol March 19, 2007 at 9:04 pm

Paul,

I don’t think this article was written as a ‘step-by-step-iptables-how-to’… So the author might assume some familiarity with iptables.

I invite you to read
http://www.linuxguruz.com/iptables/howto/iptables-HOWTO-6.html#ss6.3
Specially the section
“Extensions to iptables: New Targets”
There is the answer to your questions :)

Reply

5 sciron June 1, 2007 at 11:47 pm

Now make sure you pass the log-level 4 option with log-prefix to iptables. For example:
# DROP everything and Log it
iptables -A INPUT -j LOG –log-level 4

No, it is just that some of us can actually read. The rest should steer clear of Linux.

Reply

6 Shaun P September 18, 2007 at 5:40 pm

Just to let you all know. Even though you are setting this to log to /var/log/iptables.log, it still logs into /var/log/messages.

I am working on a fix for this.

Reply

7 a.h.s. boy November 9, 2007 at 6:02 pm

Shaun —

There is usually a syslog.conf rule that sends *.info to /var/log/messages

On my system (Fedora), it reads
*.info;mail.none;authpriv.none;cron.none /var/log/messages

I changed it to
*.info;kern.!=warning;mail.none;authpriv.none;cron.none /var/log/messages

and it stopped logging iptables stuff to the messages log.

Note, however, that it will now put ANY “warning” level kernel messages into the iptables.log

Reply

8 Julian February 19, 2008 at 2:06 pm

Thanks for the info. I used it and it works just as I’d hoped. No more excess info in /var/log/messages!! Thank you.

Reply

9 Mario February 21, 2008 at 8:06 pm

Excellent article!!!

And a few contrib:

iptables -t nat -I PREROUTING -s Paul -j DNAT http://www.microsoft.com

May be in this website the people is more clear !!!!!!!!

Reply

10 sombatsombat February 23, 2008 at 6:00 am

# DROP everything and Log it
iptables -A INPUT -j LOG –log-level 4
iptables -A INPUT -j DROP

the ‘-‘ sign infront of log-level 4 should be ‘–‘ instead

Reply

11 sombatsombat February 23, 2008 at 6:03 am

Sorry, I think there is problem with the web page.

The above post was to tell about double ‘-‘ sign.
But the web page changed it to one ‘-‘ sign.

Reply

12 nixCraft February 23, 2008 at 6:50 am

sombatsombat,

The post has been updated to fix formatting. Thanks for the heads up.

Reply

13 John V. Kjellman May 2, 2008 at 12:21 am

This technique was working well for me under RedHat 9.0, but under CENTOS 5 the kernel spits out a bunch of warning messages for different situations, including a BIOS map on bootup, that result in a not-so-clean iptables log, and missing entries in /var/log/messages. It looks to me that the real solution is a change to iptables, however that might get accomplished.

Reply

14 Mehdi Akiki June 23, 2008 at 12:29 am

I tried to use this method but it didnt work for me.
Here is what I did:
Edit the /etc/syslog.conf file by adding the following:
kern.warn /var/log/fwlog
In the iptables configuration file or using the shell add this command to log all the packets that are dropped (implicitely the log level is 4 by default):
iptables -A INPUT -j LOG
Then run this command in the shell to read the modified file again!
killall -HUP syslogd

Reply

15 Joel June 24, 2008 at 10:05 pm

Here’s how I did it:

In your firewall script, add “–log-level debug” to any logging commands.

In /etc/syslog.conf :
kern.=debug /var/log/iptables

This seams to work and doesn’t add anything to /var/log/iptables other than the iptables logs, I think mostly because very few other applications use the “debug” log level.

Reply

16 Aly June 16, 2010 at 3:45 pm

I know this is an old post, but thanks this worked perfectly.

Reply

17 kaxa August 26, 2008 at 9:52 am

10x Vivek Gite

Reply

18 jon February 23, 2009 at 10:11 pm

in general, this worked fine for me, even though i used the log-levels names instead of numbers.
after i had everything set-up, the settings didnt seem to have any effect until i noticed i had
to explicitly restart the kernel log daemon (/etc/init.d/klogd restart). i dont know if this is true for any other distributions than debian, which i’m running.
a nice documentation of the predefined iptables targets, such as LOG, can be found here:
http://www.faqs.org/docs/iptables/targets.html
under 6.5.4. LOG target, the topic discussed here is also explained another time for the –log-level option

Reply

19 pedro March 22, 2009 at 4:23 am

Mario:

don’t need to mock Paul like that… I feel for him and his frustration in getting “there” as well as I do for myself many times.
Routines are there for something, we all hope that it is to make your life easier… but if in order to put the routines at your service you have to put yourself in the shoes of the programmer all the time (for the same ammount of time) then there is no point… and it really gets to you… Its indeed a proper critic in the linux scene.
Now, we don’t need to immediately go to the other side of fence, even the best intended, most researchful guy out there gets some scratches jumping the fence.
Neither autoshit from MS nor ultimate control from some pseudo-eleet.
Linux diversity lacks in sinthesys!

Respect kid.

Reply

20 Tawfiq May 18, 2009 at 5:55 am

Don’t know if you guys had it, but i added that line is syslog.conf . then restarted it.
added those lines in iptables then restarted it.
the iptables log starts dumping on the active console.
I had to log in rescue mode and undo the stuffs.
may be cause i didn’t have the file /var/log/iptables ?
later today, i will try touch the file and redo the whole thing.

any alternate suggestions?

Reply

21 Tawfiq May 18, 2009 at 5:59 am

sorry, it itself created the file (iptables.log)
but it also kept dumping on the active konsole.
any idea?

Reply

22 Marshall June 11, 2009 at 8:25 pm

Tawfiq: You can disable the console logging by commenting out this line in your syslog.conf

#kern.* /dev/console

Reply

23 kris July 16, 2009 at 10:44 am

Or you can use ulog.
Install ulogd (in ubuntu: sudo apt-get install ulogd)

If you use fwbuilder to configure your firewall then it’s simple.
In fwbuilder, double click on your firewall –> Firewall Settings –> Logging –> use ULOG

then compile and reinstall the policy and that’s it.
The logs from iptables will be in /var/log/ulog/syslogemu.log

Reply

24 dejf July 20, 2009 at 8:20 pm

This is just absurd. Loglevel is not meant to differe services, you should use filters or facility instead, syslog-ng makes things a bit easier.

Reply

25 ds August 2, 2009 at 11:44 am

Thanks for this clear guide

Reply

26 Ammad September 4, 2009 at 9:50 am

HI,
its cool, but for addition how do i get hostnames/FQDN of local nodes instead of IP address. i have dns on firewall system for all dynamic dhcp nodes. since logs are useful to get history of nodes, and all nodes are getting ip from dhcp. and this registers ip address to dns server.

thanks.

Reply

27 Prem September 19, 2009 at 10:10 am

Hi
i have configured 2 log files
1.) iptable.log 2.)iptable1.log

i want to write monitor or write log for an ip say 64.55.11.2 in iptable.log and another ip say 202.20.10.80 in iptable1.log is that possible and how to do this?. Thanks in advance…

Reply

28 Ammad September 19, 2009 at 2:50 pm

can i have a iptables logs on web page. i have installed “Iptables log analyzer 0.4 beta” but i think its for suse only and it doesn’t put logs to mysql db as it should do according to documentation.

Reply

29 Prem September 22, 2009 at 6:39 am

Hi ,
I want to know is it possible to log 5 packets for every 2 minutes if it is possible may i know the command.
Thanks in advance…

Reply

30 Al B.. December 15, 2009 at 7:58 pm

for ubuntu 9.10 users edit /etc/rsyslog.d/50-default.conf and dont forget to remove *.=warn part otherwise it will still write to var/log/messages. If anyone has a better method please suggest..

Reply

31 Paul G December 23, 2009 at 8:47 pm

In order to filter firewall logs from /var/log/messages use the below (in previous examples, “=” (equal sign) was used, but it is not working on RHEL for example.

kern.warning /var/log/iptables.log
*.info;kern.!warning;mail.none;authpriv.none;cron.none /var/log/messages

Reply

32 Roberto_Dominicano January 28, 2010 at 4:31 pm

Sound interesting.
But I have a question? And if I would like to filtering mac address limiting the upload and download for any particular mac address?
How I can do that?

Thanks

Reply

33 jamie May 2, 2010 at 9:08 am

looks like in ubuntu 10.04, the file is now at /etc/rsyslog.d/50-default.conf

at least i think it is.

Reply

34 LGB February 14, 2011 at 6:49 am

I would be careful with sentences like “iptables to log messages …”. First of all iptables can’t an doesn’t log anything, it’s just a command line tool to manage rules inside the kernel called “netfilter”. Netfilter and kernel itself does not log anything either, since log daemon log things. And the most important thing: as far as I see, it’s always a bit unfortunate to use the LOG target. Yeah, you can separate messages with log level, prefix etc, to have “different” one than other messages from the kernel which are logged by some log daemon then, but personally I think ULOG target is much more useful, and you don’t need to “hack” your log daemon either. You only need to run ulogd daemon which will log messages then into file or even MySQL table, and so on.

Reply

35 Akash November 19, 2011 at 11:49 am

It help me to clear.. LOG basics concept
Thanks

Reply

36 awoms January 5, 2012 at 3:18 pm

Everything is working great, thank you.

How do I set up the new /var/log/iptables.log file to archive/create new files when it grows to a certain size?…

Reply

37 annih January 31, 2012 at 2:30 pm
38 spongebob March 11, 2012 at 6:52 am

on ubuntu/xubuntu add this to your rsyslogd.d/50-default.conf

:msg,contains,”NETFILTER” /var/log/iptables.log

when you want to log just add –log-prefix NETFILTER (personaly i split NETFILTER-IN NETFILTER-OUT and NETFILTER-FWD

Reply

39 Andrea April 20, 2012 at 6:44 am

Hi!
Thanks spongebob. I add some info. In debian you can add the following 2 lines in file /etc/rsyslog.conf (beginning of section RULES) or you can add a conf file in directory /etc/rsyslog.d/

I use the string Shorewall but you can use any string (–log-prefix STRING as spongebob said).

:msg, contains, "Shorewall"       /var/log/iptables.log
:msg, contains, "Shorewall"     ~

The first line sends messages that contain “Shorewall” to the file iptables.log. The second line discards messages that contain “Shorewall” so that they are not logged in the /var/log/messages.

More info:
http://www.rsyslog.com/doc/rsyslog_conf_filter.html

Reply

40 Resen December 14, 2012 at 9:11 pm

For Centos 6 onwards please note that the syslog.conf file is now the rsyslog.conf file found in the same direcotry

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , , , , , ,

Previous post:

Next post: