Force iptables to log messages to a different log file

by on October 3, 2006 · 40 comments· LAST UPDATED February 23, 2008

in , ,

According to man page:
Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user defined chains.

By default, Iptables log message to a /var/log/messages file. However you can change this location. I will show you how to create a new logfile called /var/log/iptables.log. Changing or using a new file allows you to create better statistics and/or allows you to analyze the attacks.

Iptables default log file

For example, if you type the following command, it will display current iptables log from /var/log/messages file:
# tail -f /var/log/messages

Oct  4 00:44:28 debian gconfd (vivek-4435): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2
Oct  4 01:14:19 debian kernel: IN=ra0 OUT= MAC=00:17:9a:0a:f6:44:00:08:5c:00:00:01:08:00 SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=18374 DF PROTO=TCP SPT=46040 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Oct  4 00:13:55 debian kernel: IN=ra0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:18:de:55:0a:56:08:00 SRC= DST= TOS=0x00 PREC=0x00 TTL=128 ID=13461 PROTO=UDP SPT=137 DPT=137 LEN=58

Procedure to log the iptables messages to a different log file

Open your /etc/syslog.conf file:
# vi /etc/syslog.conf
Append following line
kern.warning /var/log/iptables.log
Save and close the file.

Restart the syslogd (Debian / Ubuntu Linux):# /etc/init.d/sysklogd restartOn the other hand, use following command to restart syslogd under Red Hat/Cent OS/Fedora Core Linux:# /etc/init.d/syslog restart

Now make sure you pass the log-level 4 option with log-prefix to iptables. For example:
# DROP everything and Log it
iptables -A INPUT -j LOG --log-level 4
iptables -A INPUT -j DROP

For example, drop and log all connections from IP address to your /var/log/iptables.log file:
iptables -A INPUT -s -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix '** HACKERS **'--log-level 4
iptables -A INPUT -s -j DROP


  • --log-level 4: Level of logging. The level # 4 is for warning.
  • --log-prefix '*** TEXT ***': Prefix log messages with the specified prefix (TEXT); up to 29 letters long, and useful for distinguishing messages in the logs.

You can now see all iptables message logged to /var/log/iptables.log file:
# tail -f /var/log/iptables.log

Updated for accuracy.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 40 comments… read them below or add one }

1 Paul March 7, 2007 at 12:54 am

I have absolutely no idea what you are talking about when you get to this part:

“Now make sure you pass the log-level 4 option with log-prefix to iptables.”

What is a “log-level 4 option”? What is a “log-prefix”? Why do I want to do this?

This is a huge problem in the Linux community, and the main reason most people steer clear of Linux: the people with all the know-how talk over the heads of everyone else, and won’t explain what the reason for doing something is, it’s “just do it, because I said to”.


2 Thomas Polliard October 10, 2011 at 9:37 am

Try google searching for iptables logging. The main reason *nix people do not explain every detail is that the assumption is that a good sysadmin will man/google search. Though in this case the writer offered the answer to your question with the code block above the –log-level text As to why. Iptables does not log by default you therefore must tell it to log. You want to log if you care to see what was blocked. Very useful when users complain that they can’t get to some of your servers resources.


3 Joel March 19, 2007 at 7:23 pm

Question: If I was to add

kern.warning /var/log/iptables.log

to ‘/etc/syslog.conf’ as stated above, does it then append anything at the “warning” level in the file ‘/var/log/iptables.log’, regardless of whether or not it has to do with IPTables?



4 Algol March 19, 2007 at 9:04 pm


I don’t think this article was written as a ‘step-by-step-iptables-how-to’… So the author might assume some familiarity with iptables.

I invite you to read
Specially the section
“Extensions to iptables: New Targets”
There is the answer to your questions :)


5 sciron June 1, 2007 at 11:47 pm

Now make sure you pass the log-level 4 option with log-prefix to iptables. For example:
# DROP everything and Log it
iptables -A INPUT -j LOG –log-level 4

No, it is just that some of us can actually read. The rest should steer clear of Linux.


6 Shaun P September 18, 2007 at 5:40 pm

Just to let you all know. Even though you are setting this to log to /var/log/iptables.log, it still logs into /var/log/messages.

I am working on a fix for this.


7 a.h.s. boy November 9, 2007 at 6:02 pm

Shaun —

There is usually a syslog.conf rule that sends *.info to /var/log/messages

On my system (Fedora), it reads
*.info;mail.none;authpriv.none;cron.none /var/log/messages

I changed it to
*.info;kern.!=warning;mail.none;authpriv.none;cron.none /var/log/messages

and it stopped logging iptables stuff to the messages log.

Note, however, that it will now put ANY “warning” level kernel messages into the iptables.log


8 Julian February 19, 2008 at 2:06 pm

Thanks for the info. I used it and it works just as I’d hoped. No more excess info in /var/log/messages!! Thank you.


9 Mario February 21, 2008 at 8:06 pm

Excellent article!!!

And a few contrib:

iptables -t nat -I PREROUTING -s Paul -j DNAT

May be in this website the people is more clear !!!!!!!!


10 sombatsombat February 23, 2008 at 6:00 am

# DROP everything and Log it
iptables -A INPUT -j LOG –log-level 4
iptables -A INPUT -j DROP

the ‘-‘ sign infront of log-level 4 should be ‘–‘ instead


11 sombatsombat February 23, 2008 at 6:03 am

Sorry, I think there is problem with the web page.

The above post was to tell about double ‘-‘ sign.
But the web page changed it to one ‘-‘ sign.


12 nixCraft February 23, 2008 at 6:50 am


The post has been updated to fix formatting. Thanks for the heads up.


13 John V. Kjellman May 2, 2008 at 12:21 am

This technique was working well for me under RedHat 9.0, but under CENTOS 5 the kernel spits out a bunch of warning messages for different situations, including a BIOS map on bootup, that result in a not-so-clean iptables log, and missing entries in /var/log/messages. It looks to me that the real solution is a change to iptables, however that might get accomplished.


14 Mehdi Akiki June 23, 2008 at 12:29 am

I tried to use this method but it didnt work for me.
Here is what I did:
Edit the /etc/syslog.conf file by adding the following:
kern.warn /var/log/fwlog
In the iptables configuration file or using the shell add this command to log all the packets that are dropped (implicitely the log level is 4 by default):
iptables -A INPUT -j LOG
Then run this command in the shell to read the modified file again!
killall -HUP syslogd


15 Joel June 24, 2008 at 10:05 pm

Here’s how I did it:

In your firewall script, add “–log-level debug” to any logging commands.

In /etc/syslog.conf :
kern.=debug /var/log/iptables

This seams to work and doesn’t add anything to /var/log/iptables other than the iptables logs, I think mostly because very few other applications use the “debug” log level.


16 Aly June 16, 2010 at 3:45 pm

I know this is an old post, but thanks this worked perfectly.


17 kaxa August 26, 2008 at 9:52 am

10x Vivek Gite


18 jon February 23, 2009 at 10:11 pm

in general, this worked fine for me, even though i used the log-levels names instead of numbers.
after i had everything set-up, the settings didnt seem to have any effect until i noticed i had
to explicitly restart the kernel log daemon (/etc/init.d/klogd restart). i dont know if this is true for any other distributions than debian, which i’m running.
a nice documentation of the predefined iptables targets, such as LOG, can be found here:
under 6.5.4. LOG target, the topic discussed here is also explained another time for the –log-level option


19 pedro March 22, 2009 at 4:23 am


don’t need to mock Paul like that… I feel for him and his frustration in getting “there” as well as I do for myself many times.
Routines are there for something, we all hope that it is to make your life easier… but if in order to put the routines at your service you have to put yourself in the shoes of the programmer all the time (for the same ammount of time) then there is no point… and it really gets to you… Its indeed a proper critic in the linux scene.
Now, we don’t need to immediately go to the other side of fence, even the best intended, most researchful guy out there gets some scratches jumping the fence.
Neither autoshit from MS nor ultimate control from some pseudo-eleet.
Linux diversity lacks in sinthesys!

Respect kid.


20 Tawfiq May 18, 2009 at 5:55 am

Don’t know if you guys had it, but i added that line is syslog.conf . then restarted it.
added those lines in iptables then restarted it.
the iptables log starts dumping on the active console.
I had to log in rescue mode and undo the stuffs.
may be cause i didn’t have the file /var/log/iptables ?
later today, i will try touch the file and redo the whole thing.

any alternate suggestions?


21 Tawfiq May 18, 2009 at 5:59 am

sorry, it itself created the file (iptables.log)
but it also kept dumping on the active konsole.
any idea?


22 Marshall June 11, 2009 at 8:25 pm

Tawfiq: You can disable the console logging by commenting out this line in your syslog.conf

#kern.* /dev/console


23 kris July 16, 2009 at 10:44 am

Or you can use ulog.
Install ulogd (in ubuntu: sudo apt-get install ulogd)

If you use fwbuilder to configure your firewall then it’s simple.
In fwbuilder, double click on your firewall –> Firewall Settings –> Logging –> use ULOG

then compile and reinstall the policy and that’s it.
The logs from iptables will be in /var/log/ulog/syslogemu.log


24 dejf July 20, 2009 at 8:20 pm

This is just absurd. Loglevel is not meant to differe services, you should use filters or facility instead, syslog-ng makes things a bit easier.


25 ds August 2, 2009 at 11:44 am

Thanks for this clear guide


26 Ammad September 4, 2009 at 9:50 am

its cool, but for addition how do i get hostnames/FQDN of local nodes instead of IP address. i have dns on firewall system for all dynamic dhcp nodes. since logs are useful to get history of nodes, and all nodes are getting ip from dhcp. and this registers ip address to dns server.



27 Prem September 19, 2009 at 10:10 am

i have configured 2 log files
1.) iptable.log 2.)iptable1.log

i want to write monitor or write log for an ip say in iptable.log and another ip say in iptable1.log is that possible and how to do this?. Thanks in advance…


28 Ammad September 19, 2009 at 2:50 pm

can i have a iptables logs on web page. i have installed “Iptables log analyzer 0.4 beta” but i think its for suse only and it doesn’t put logs to mysql db as it should do according to documentation.


29 Prem September 22, 2009 at 6:39 am

Hi ,
I want to know is it possible to log 5 packets for every 2 minutes if it is possible may i know the command.
Thanks in advance…


30 Al B.. December 15, 2009 at 7:58 pm

for ubuntu 9.10 users edit /etc/rsyslog.d/50-default.conf and dont forget to remove *.=warn part otherwise it will still write to var/log/messages. If anyone has a better method please suggest..


31 Paul G December 23, 2009 at 8:47 pm

In order to filter firewall logs from /var/log/messages use the below (in previous examples, “=” (equal sign) was used, but it is not working on RHEL for example.

kern.warning /var/log/iptables.log
*.info;kern.!warning;mail.none;authpriv.none;cron.none /var/log/messages


32 Roberto_Dominicano January 28, 2010 at 4:31 pm

Sound interesting.
But I have a question? And if I would like to filtering mac address limiting the upload and download for any particular mac address?
How I can do that?



33 jamie May 2, 2010 at 9:08 am

looks like in ubuntu 10.04, the file is now at /etc/rsyslog.d/50-default.conf

at least i think it is.


34 LGB February 14, 2011 at 6:49 am

I would be careful with sentences like “iptables to log messages …”. First of all iptables can’t an doesn’t log anything, it’s just a command line tool to manage rules inside the kernel called “netfilter”. Netfilter and kernel itself does not log anything either, since log daemon log things. And the most important thing: as far as I see, it’s always a bit unfortunate to use the LOG target. Yeah, you can separate messages with log level, prefix etc, to have “different” one than other messages from the kernel which are logged by some log daemon then, but personally I think ULOG target is much more useful, and you don’t need to “hack” your log daemon either. You only need to run ulogd daemon which will log messages then into file or even MySQL table, and so on.


35 Akash November 19, 2011 at 11:49 am

It help me to clear.. LOG basics concept


36 awoms January 5, 2012 at 3:18 pm

Everything is working great, thank you.

How do I set up the new /var/log/iptables.log file to archive/create new files when it grows to a certain size?…


37 annih January 31, 2012 at 2:30 pm
38 spongebob March 11, 2012 at 6:52 am

on ubuntu/xubuntu add this to your rsyslogd.d/50-default.conf

:msg,contains,”NETFILTER” /var/log/iptables.log

when you want to log just add –log-prefix NETFILTER (personaly i split NETFILTER-IN NETFILTER-OUT and NETFILTER-FWD


39 Andrea April 20, 2012 at 6:44 am

Thanks spongebob. I add some info. In debian you can add the following 2 lines in file /etc/rsyslog.conf (beginning of section RULES) or you can add a conf file in directory /etc/rsyslog.d/

I use the string Shorewall but you can use any string (–log-prefix STRING as spongebob said).

:msg, contains, "Shorewall"       /var/log/iptables.log
:msg, contains, "Shorewall"     ~

The first line sends messages that contain “Shorewall” to the file iptables.log. The second line discards messages that contain “Shorewall” so that they are not logged in the /var/log/messages.

More info:


40 Resen December 14, 2012 at 9:11 pm

For Centos 6 onwards please note that the syslog.conf file is now the rsyslog.conf file found in the same direcotry


Leave a Comment

Tagged as: , , , , , , , , , , , , , , , , , , , ,

Previous post:

Next post: