≡ Menu

Force iptables to log messages to a different log file

According to man page:
Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user defined chains.

By default, Iptables log message to a /var/log/messages file. However you can change this location. I will show you how to create a new logfile called /var/log/iptables.log. Changing or using a new file allows you to create better statistics and/or allows you to analyze the attacks.

Iptables default log file

For example, if you type the following command, it will display current iptables log from /var/log/messages file:
# tail -f /var/log/messages

Oct  4 00:44:28 debian gconfd (vivek-4435): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2
Oct  4 01:14:19 debian kernel: IN=ra0 OUT= MAC=00:17:9a:0a:f6:44:00:08:5c:00:00:01:08:00 SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=18374 DF PROTO=TCP SPT=46040 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Oct  4 00:13:55 debian kernel: IN=ra0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:18:de:55:0a:56:08:00 SRC= DST= TOS=0x00 PREC=0x00 TTL=128 ID=13461 PROTO=UDP SPT=137 DPT=137 LEN=58

Procedure to log the iptables messages to a different log file

Open your /etc/syslog.conf file:
# vi /etc/syslog.conf
Append following line
kern.warning /var/log/iptables.log
Save and close the file.

Restart the syslogd (Debian / Ubuntu Linux):# /etc/init.d/sysklogd restartOn the other hand, use following command to restart syslogd under Red Hat/Cent OS/Fedora Core Linux:# /etc/init.d/syslog restart

Now make sure you pass the log-level 4 option with log-prefix to iptables. For example:
# DROP everything and Log it
iptables -A INPUT -j LOG --log-level 4
iptables -A INPUT -j DROP

For example, drop and log all connections from IP address to your /var/log/iptables.log file:
iptables -A INPUT -s -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix '** HACKERS **'--log-level 4
iptables -A INPUT -s -j DROP


  • --log-level 4: Level of logging. The level # 4 is for warning.
  • --log-prefix '*** TEXT ***': Prefix log messages with the specified prefix (TEXT); up to 29 letters long, and useful for distinguishing messages in the logs.

You can now see all iptables message logged to /var/log/iptables.log file:
# tail -f /var/log/iptables.log

Updated for accuracy.

Share this on:

{ 40 comments… add one }

  • Paul March 7, 2007, 12:54 am

    I have absolutely no idea what you are talking about when you get to this part:

    “Now make sure you pass the log-level 4 option with log-prefix to iptables.”

    What is a “log-level 4 option”? What is a “log-prefix”? Why do I want to do this?

    This is a huge problem in the Linux community, and the main reason most people steer clear of Linux: the people with all the know-how talk over the heads of everyone else, and won’t explain what the reason for doing something is, it’s “just do it, because I said to”.

    • Thomas Polliard October 10, 2011, 9:37 am

      Try google searching for iptables logging. The main reason *nix people do not explain every detail is that the assumption is that a good sysadmin will man/google search. Though in this case the writer offered the answer to your question with the code block above the –log-level text As to why. Iptables does not log by default you therefore must tell it to log. You want to log if you care to see what was blocked. Very useful when users complain that they can’t get to some of your servers resources.

  • Joel March 19, 2007, 7:23 pm

    Question: If I was to add

    kern.warning /var/log/iptables.log

    to ‘/etc/syslog.conf’ as stated above, does it then append anything at the “warning” level in the file ‘/var/log/iptables.log’, regardless of whether or not it has to do with IPTables?


  • Algol March 19, 2007, 9:04 pm


    I don’t think this article was written as a ‘step-by-step-iptables-how-to’… So the author might assume some familiarity with iptables.

    I invite you to read
    Specially the section
    “Extensions to iptables: New Targets”
    There is the answer to your questions :)

  • sciron June 1, 2007, 11:47 pm

    Now make sure you pass the log-level 4 option with log-prefix to iptables. For example:
    # DROP everything and Log it
    iptables -A INPUT -j LOG –log-level 4

    No, it is just that some of us can actually read. The rest should steer clear of Linux.

  • Shaun P September 18, 2007, 5:40 pm

    Just to let you all know. Even though you are setting this to log to /var/log/iptables.log, it still logs into /var/log/messages.

    I am working on a fix for this.

  • a.h.s. boy November 9, 2007, 6:02 pm

    Shaun —

    There is usually a syslog.conf rule that sends *.info to /var/log/messages

    On my system (Fedora), it reads
    *.info;mail.none;authpriv.none;cron.none /var/log/messages

    I changed it to
    *.info;kern.!=warning;mail.none;authpriv.none;cron.none /var/log/messages

    and it stopped logging iptables stuff to the messages log.

    Note, however, that it will now put ANY “warning” level kernel messages into the iptables.log

  • Julian February 19, 2008, 2:06 pm

    Thanks for the info. I used it and it works just as I’d hoped. No more excess info in /var/log/messages!! Thank you.

  • Mario February 21, 2008, 8:06 pm

    Excellent article!!!

    And a few contrib:

    iptables -t nat -I PREROUTING -s Paul -j DNAT http://www.microsoft.com

    May be in this website the people is more clear !!!!!!!!

  • sombatsombat February 23, 2008, 6:00 am

    # DROP everything and Log it
    iptables -A INPUT -j LOG –log-level 4
    iptables -A INPUT -j DROP

    the ‘-‘ sign infront of log-level 4 should be ‘–‘ instead

  • sombatsombat February 23, 2008, 6:03 am

    Sorry, I think there is problem with the web page.

    The above post was to tell about double ‘-‘ sign.
    But the web page changed it to one ‘-‘ sign.

  • nixCraft February 23, 2008, 6:50 am


    The post has been updated to fix formatting. Thanks for the heads up.

  • John V. Kjellman May 2, 2008, 12:21 am

    This technique was working well for me under RedHat 9.0, but under CENTOS 5 the kernel spits out a bunch of warning messages for different situations, including a BIOS map on bootup, that result in a not-so-clean iptables log, and missing entries in /var/log/messages. It looks to me that the real solution is a change to iptables, however that might get accomplished.

  • Mehdi Akiki June 23, 2008, 12:29 am

    I tried to use this method but it didnt work for me.
    Here is what I did:
    Edit the /etc/syslog.conf file by adding the following:
    kern.warn /var/log/fwlog
    In the iptables configuration file or using the shell add this command to log all the packets that are dropped (implicitely the log level is 4 by default):
    iptables -A INPUT -j LOG
    Then run this command in the shell to read the modified file again!
    killall -HUP syslogd

  • Joel June 24, 2008, 10:05 pm

    Here’s how I did it:

    In your firewall script, add “–log-level debug” to any logging commands.

    In /etc/syslog.conf :
    kern.=debug /var/log/iptables

    This seams to work and doesn’t add anything to /var/log/iptables other than the iptables logs, I think mostly because very few other applications use the “debug” log level.

    • Aly June 16, 2010, 3:45 pm

      I know this is an old post, but thanks this worked perfectly.

  • kaxa August 26, 2008, 9:52 am

    10x Vivek Gite

  • jon February 23, 2009, 10:11 pm

    in general, this worked fine for me, even though i used the log-levels names instead of numbers.
    after i had everything set-up, the settings didnt seem to have any effect until i noticed i had
    to explicitly restart the kernel log daemon (/etc/init.d/klogd restart). i dont know if this is true for any other distributions than debian, which i’m running.
    a nice documentation of the predefined iptables targets, such as LOG, can be found here:
    under 6.5.4. LOG target, the topic discussed here is also explained another time for the –log-level option

  • pedro March 22, 2009, 4:23 am


    don’t need to mock Paul like that… I feel for him and his frustration in getting “there” as well as I do for myself many times.
    Routines are there for something, we all hope that it is to make your life easier… but if in order to put the routines at your service you have to put yourself in the shoes of the programmer all the time (for the same ammount of time) then there is no point… and it really gets to you… Its indeed a proper critic in the linux scene.
    Now, we don’t need to immediately go to the other side of fence, even the best intended, most researchful guy out there gets some scratches jumping the fence.
    Neither autoshit from MS nor ultimate control from some pseudo-eleet.
    Linux diversity lacks in sinthesys!

    Respect kid.

  • Tawfiq May 18, 2009, 5:55 am

    Don’t know if you guys had it, but i added that line is syslog.conf . then restarted it.
    added those lines in iptables then restarted it.
    the iptables log starts dumping on the active console.
    I had to log in rescue mode and undo the stuffs.
    may be cause i didn’t have the file /var/log/iptables ?
    later today, i will try touch the file and redo the whole thing.

    any alternate suggestions?

  • Tawfiq May 18, 2009, 5:59 am

    sorry, it itself created the file (iptables.log)
    but it also kept dumping on the active konsole.
    any idea?

  • Marshall June 11, 2009, 8:25 pm

    Tawfiq: You can disable the console logging by commenting out this line in your syslog.conf

    #kern.* /dev/console

  • kris July 16, 2009, 10:44 am

    Or you can use ulog.
    Install ulogd (in ubuntu: sudo apt-get install ulogd)

    If you use fwbuilder to configure your firewall then it’s simple.
    In fwbuilder, double click on your firewall –> Firewall Settings –> Logging –> use ULOG

    then compile and reinstall the policy and that’s it.
    The logs from iptables will be in /var/log/ulog/syslogemu.log

  • dejf July 20, 2009, 8:20 pm

    This is just absurd. Loglevel is not meant to differe services, you should use filters or facility instead, syslog-ng makes things a bit easier.

  • ds August 2, 2009, 11:44 am

    Thanks for this clear guide

  • Ammad September 4, 2009, 9:50 am

    its cool, but for addition how do i get hostnames/FQDN of local nodes instead of IP address. i have dns on firewall system for all dynamic dhcp nodes. since logs are useful to get history of nodes, and all nodes are getting ip from dhcp. and this registers ip address to dns server.


  • Prem September 19, 2009, 10:10 am

    i have configured 2 log files
    1.) iptable.log 2.)iptable1.log

    i want to write monitor or write log for an ip say in iptable.log and another ip say in iptable1.log is that possible and how to do this?. Thanks in advance…

  • Ammad September 19, 2009, 2:50 pm

    can i have a iptables logs on web page. i have installed “Iptables log analyzer 0.4 beta” but i think its for suse only and it doesn’t put logs to mysql db as it should do according to documentation.

  • Prem September 22, 2009, 6:39 am

    Hi ,
    I want to know is it possible to log 5 packets for every 2 minutes if it is possible may i know the command.
    Thanks in advance…

  • Al B.. December 15, 2009, 7:58 pm

    for ubuntu 9.10 users edit /etc/rsyslog.d/50-default.conf and dont forget to remove *.=warn part otherwise it will still write to var/log/messages. If anyone has a better method please suggest..

  • Paul G December 23, 2009, 8:47 pm

    In order to filter firewall logs from /var/log/messages use the below (in previous examples, “=” (equal sign) was used, but it is not working on RHEL for example.

    kern.warning /var/log/iptables.log
    *.info;kern.!warning;mail.none;authpriv.none;cron.none /var/log/messages

  • Roberto_Dominicano January 28, 2010, 4:31 pm

    Sound interesting.
    But I have a question? And if I would like to filtering mac address limiting the upload and download for any particular mac address?
    How I can do that?


  • jamie May 2, 2010, 9:08 am

    looks like in ubuntu 10.04, the file is now at /etc/rsyslog.d/50-default.conf

    at least i think it is.

  • LGB February 14, 2011, 6:49 am

    I would be careful with sentences like “iptables to log messages …”. First of all iptables can’t an doesn’t log anything, it’s just a command line tool to manage rules inside the kernel called “netfilter”. Netfilter and kernel itself does not log anything either, since log daemon log things. And the most important thing: as far as I see, it’s always a bit unfortunate to use the LOG target. Yeah, you can separate messages with log level, prefix etc, to have “different” one than other messages from the kernel which are logged by some log daemon then, but personally I think ULOG target is much more useful, and you don’t need to “hack” your log daemon either. You only need to run ulogd daemon which will log messages then into file or even MySQL table, and so on.

  • Akash November 19, 2011, 11:49 am

    It help me to clear.. LOG basics concept

  • awoms January 5, 2012, 3:18 pm

    Everything is working great, thank you.

    How do I set up the new /var/log/iptables.log file to archive/create new files when it grows to a certain size?…

  • spongebob March 11, 2012, 6:52 am

    on ubuntu/xubuntu add this to your rsyslogd.d/50-default.conf

    :msg,contains,”NETFILTER” /var/log/iptables.log

    when you want to log just add –log-prefix NETFILTER (personaly i split NETFILTER-IN NETFILTER-OUT and NETFILTER-FWD

  • Andrea April 20, 2012, 6:44 am

    Thanks spongebob. I add some info. In debian you can add the following 2 lines in file /etc/rsyslog.conf (beginning of section RULES) or you can add a conf file in directory /etc/rsyslog.d/

    I use the string Shorewall but you can use any string (–log-prefix STRING as spongebob said).

    :msg, contains, "Shorewall"       /var/log/iptables.log
    :msg, contains, "Shorewall"     ~

    The first line sends messages that contain “Shorewall” to the file iptables.log. The second line discards messages that contain “Shorewall” so that they are not logged in the /var/log/messages.

    More info:

  • Resen December 14, 2012, 9:11 pm

    For Centos 6 onwards please note that the syslog.conf file is now the rsyslog.conf file found in the same direcotry

Leave a Comment

   Tagged with: , , , , , , , , , , , , , , , , , , , ,