Force iptables to log messages to a different log file

by Vivek Gite · 30 comments

According to man page:
Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user defined chains.

By default, Iptables log message to a /var/log/messages file. However you can change this location. I will show you how to create a new logfile called /var/log/iptables.log. Changing or using a new file allows you to create better statistics and/or allows you to analyze the attacks.

Iptables default log file

For example, if you type the following command, it will display current iptables log from /var/log/messages file:
# tail -f /var/log/messages
Output:

Oct  4 00:44:28 debian gconfd (vivek-4435): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2
Oct  4 01:14:19 debian kernel: IN=ra0 OUT= MAC=00:17:9a:0a:f6:44:00:08:5c:00:00:01:08:00 SRC=200.142.84.36 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=18374 DF PROTO=TCP SPT=46040 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Oct  4 00:13:55 debian kernel: IN=ra0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:18:de:55:0a:56:08:00 SRC=192.168.1.30 DST=192.168.1.255LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=13461 PROTO=UDP SPT=137 DPT=137 LEN=58

Procedure to log the iptables messages to a different log file

Open your /etc/syslog.conf file:
# vi /etc/syslog.conf
Append following line
kern.warning /var/log/iptables.log
Save and close the file.

Restart the syslogd (Debian / Ubuntu Linux):# /etc/init.d/sysklogd restartOn the other hand, use following command to restart syslogd under Red Hat/Cent OS/Fedora Core Linux:# /etc/init.d/syslog restart

Now make sure you pass the log-level 4 option with log-prefix to iptables. For example:
# DROP everything and Log it
iptables -A INPUT -j LOG --log-level 4
iptables -A INPUT -j DROP

For example, drop and log all connections from IP address 64.55.11.2 to your /var/log/iptables.log file:
iptables -A INPUT -s 64.55.11.2 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix '** HACKERS **'--log-level 4
iptables -A INPUT -s 64.55.11.2 -j DROP

Where,

  • --log-level 4: Level of logging. The level # 4 is for warning.
  • --log-prefix '*** TEXT ***': Prefix log messages with the specified prefix (TEXT); up to 29 letters long, and useful for distinguishing messages in the logs.

You can now see all iptables message logged to /var/log/iptables.log file:
# tail -f /var/log/iptables.log

Updated for accuracy.

Featured Articles:

Want to read Linux tips and tricks, but don't have time to check our blog everyday? Subscribe to our daily email newsletter to make sure you don't miss a single tip/tricks. Subscribe to our weekly newsletter here!

{ 30 comments… read them below or add one }

1 Paul 03.07.07 at 12:54 am

I have absolutely no idea what you are talking about when you get to this part:

“Now make sure you pass the log-level 4 option with log-prefix to iptables.”

What is a “log-level 4 option”? What is a “log-prefix”? Why do I want to do this?

This is a huge problem in the Linux community, and the main reason most people steer clear of Linux: the people with all the know-how talk over the heads of everyone else, and won’t explain what the reason for doing something is, it’s “just do it, because I said to”.

2 Joel 03.19.07 at 7:23 pm

Question: If I was to add

kern.warning /var/log/iptables.log

to ‘/etc/syslog.conf’ as stated above, does it then append anything at the “warning” level in the file ‘/var/log/iptables.log’, regardless of whether or not it has to do with IPTables?

Thanks.

3 Algol 03.19.07 at 9:04 pm

Paul,

I don’t think this article was written as a ’step-by-step-iptables-how-to’… So the author might assume some familiarity with iptables.

I invite you to read
http://www.linuxguruz.com/iptables/howto/iptables-HOWTO-6.html#ss6.3
Specially the section
“Extensions to iptables: New Targets”
There is the answer to your questions :)

4 sciron 06.01.07 at 11:47 pm

Now make sure you pass the log-level 4 option with log-prefix to iptables. For example:
# DROP everything and Log it
iptables -A INPUT -j LOG –log-level 4

No, it is just that some of us can actually read. The rest should steer clear of Linux.

5 Shaun P 09.18.07 at 5:40 pm

Just to let you all know. Even though you are setting this to log to /var/log/iptables.log, it still logs into /var/log/messages.

I am working on a fix for this.

6 a.h.s. boy 11.09.07 at 6:02 pm

Shaun –

There is usually a syslog.conf rule that sends *.info to /var/log/messages

On my system (Fedora), it reads
*.info;mail.none;authpriv.none;cron.none /var/log/messages

I changed it to
*.info;kern.!=warning;mail.none;authpriv.none;cron.none /var/log/messages

and it stopped logging iptables stuff to the messages log.

Note, however, that it will now put ANY “warning” level kernel messages into the iptables.log

7 Julian 02.19.08 at 2:06 pm

Thanks for the info. I used it and it works just as I’d hoped. No more excess info in /var/log/messages!! Thank you.

8 Mario 02.21.08 at 8:06 pm

Excellent article!!!

And a few contrib:

iptables -t nat -I PREROUTING -s Paul -j DNAT http://www.microsoft.com

May be in this website the people is more clear !!!!!!!!

9 sombatsombat 02.23.08 at 6:00 am

# DROP everything and Log it
iptables -A INPUT -j LOG –log-level 4
iptables -A INPUT -j DROP

the ‘-’ sign infront of log-level 4 should be ‘–’ instead

10 sombatsombat 02.23.08 at 6:03 am

Sorry, I think there is problem with the web page.

The above post was to tell about double ‘-’ sign.
But the web page changed it to one ‘-’ sign.

11 vivek 02.23.08 at 6:50 am

sombatsombat,

The post has been updated to fix formatting. Thanks for the heads up.

12 John V. Kjellman 05.02.08 at 12:21 am

This technique was working well for me under RedHat 9.0, but under CENTOS 5 the kernel spits out a bunch of warning messages for different situations, including a BIOS map on bootup, that result in a not-so-clean iptables log, and missing entries in /var/log/messages. It looks to me that the real solution is a change to iptables, however that might get accomplished.

13 Mehdi Akiki 06.23.08 at 12:29 am

I tried to use this method but it didnt work for me.
Here is what I did:
Edit the /etc/syslog.conf file by adding the following:
kern.warn /var/log/fwlog
In the iptables configuration file or using the shell add this command to log all the packets that are dropped (implicitely the log level is 4 by default):
iptables -A INPUT -j LOG
Then run this command in the shell to read the modified file again!
killall -HUP syslogd

14 Joel 06.24.08 at 10:05 pm

Here’s how I did it:

In your firewall script, add “–log-level debug” to any logging commands.

In /etc/syslog.conf :
kern.=debug /var/log/iptables

This seams to work and doesn’t add anything to /var/log/iptables other than the iptables logs, I think mostly because very few other applications use the “debug” log level.

15 kaxa 08.26.08 at 9:52 am

10x Vivek Gite

16 jon 02.23.09 at 10:11 pm

in general, this worked fine for me, even though i used the log-levels names instead of numbers.
after i had everything set-up, the settings didnt seem to have any effect until i noticed i had
to explicitly restart the kernel log daemon (/etc/init.d/klogd restart). i dont know if this is true for any other distributions than debian, which i’m running.
a nice documentation of the predefined iptables targets, such as LOG, can be found here:
http://www.faqs.org/docs/iptables/targets.html
under 6.5.4. LOG target, the topic discussed here is also explained another time for the –log-level option

17 pedro 03.22.09 at 4:23 am

Mario:

don’t need to mock Paul like that… I feel for him and his frustration in getting “there” as well as I do for myself many times.
Routines are there for something, we all hope that it is to make your life easier… but if in order to put the routines at your service you have to put yourself in the shoes of the programmer all the time (for the same ammount of time) then there is no point… and it really gets to you… Its indeed a proper critic in the linux scene.
Now, we don’t need to immediately go to the other side of fence, even the best intended, most researchful guy out there gets some scratches jumping the fence.
Neither autoshit from MS nor ultimate control from some pseudo-eleet.
Linux diversity lacks in sinthesys!

Respect kid.

18 Tawfiq 05.18.09 at 5:55 am

Don’t know if you guys had it, but i added that line is syslog.conf . then restarted it.
added those lines in iptables then restarted it.
the iptables log starts dumping on the active console.
I had to log in rescue mode and undo the stuffs.
may be cause i didn’t have the file /var/log/iptables ?
later today, i will try touch the file and redo the whole thing.

any alternate suggestions?

19 Tawfiq 05.18.09 at 5:59 am

sorry, it itself created the file (iptables.log)
but it also kept dumping on the active konsole.
any idea?

20 Marshall 06.11.09 at 8:25 pm

Tawfiq: You can disable the console logging by commenting out this line in your syslog.conf

#kern.* /dev/console

21 kris 07.16.09 at 10:44 am

Or you can use ulog.
Install ulogd (in ubuntu: sudo apt-get install ulogd)

If you use fwbuilder to configure your firewall then it’s simple.
In fwbuilder, double click on your firewall –> Firewall Settings –> Logging –> use ULOG

then compile and reinstall the policy and that’s it.
The logs from iptables will be in /var/log/ulog/syslogemu.log

22 dejf 07.20.09 at 8:20 pm

This is just absurd. Loglevel is not meant to differe services, you should use filters or facility instead, syslog-ng makes things a bit easier.

23 ds 08.02.09 at 11:44 am

Thanks for this clear guide

24 Ammad 09.04.09 at 9:50 am

HI,
its cool, but for addition how do i get hostnames/FQDN of local nodes instead of IP address. i have dns on firewall system for all dynamic dhcp nodes. since logs are useful to get history of nodes, and all nodes are getting ip from dhcp. and this registers ip address to dns server.

thanks.

25 Prem 09.19.09 at 10:10 am

Hi
i have configured 2 log files
1.) iptable.log 2.)iptable1.log

i want to write monitor or write log for an ip say 64.55.11.2 in iptable.log and another ip say 202.20.10.80 in iptable1.log is that possible and how to do this?. Thanks in advance…

26 Ammad 09.19.09 at 2:50 pm

can i have a iptables logs on web page. i have installed “Iptables log analyzer 0.4 beta” but i think its for suse only and it doesn’t put logs to mysql db as it should do according to documentation.

27 Prem 09.22.09 at 6:39 am

Hi ,
I want to know is it possible to log 5 packets for every 2 minutes if it is possible may i know the command.
Thanks in advance…

28 Al B.. 12.15.09 at 7:58 pm

for ubuntu 9.10 users edit /etc/rsyslog.d/50-default.conf and dont forget to remove *.=warn part otherwise it will still write to var/log/messages. If anyone has a better method please suggest..

29 Paul G 12.23.09 at 8:47 pm

In order to filter firewall logs from /var/log/messages use the below (in previous examples, “=” (equal sign) was used, but it is not working on RHEL for example.

kern.warning /var/log/iptables.log
*.info;kern.!warning;mail.none;authpriv.none;cron.none /var/log/messages

30 Roberto_Dominicano 01.28.10 at 4:31 pm

Sound interesting.
But I have a question? And if I would like to filtering mac address limiting the upload and download for any particular mac address?
How I can do that?

Thanks

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Tagged as: , , , , , , , , , , , , , , , , , , , ,

Previous post:

Next post: