Force iptables to log messages to a different log file
According to man page:
Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user defined chains.
By default, Iptables log message to a /var/log/messages file. However you can change this location. I will show you how to create a new logfile called /var/log/iptables.log. Changing or using a new file allows you to create better statistics and/or allows you to analyze the attacks.
Iptables default log file
For example, if you type the following command, it will display current iptables log from /var/log/messages file:
# tail -f /var/log/messages
Output:
Oct 4 00:44:28 debian gconfd (vivek-4435): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2 Oct 4 01:14:19 debian kernel: IN=ra0 OUT= MAC=00:17:9a:0a:f6:44:00:08:5c:00:00:01:08:00 SRC=200.142.84.36 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=18374 DF PROTO=TCP SPT=46040 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 Oct 4 00:13:55 debian kernel: IN=ra0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:18:de:55:0a:56:08:00 SRC=192.168.1.30 DST=192.168.1.255LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=13461 PROTO=UDP SPT=137 DPT=137 LEN=58
Procedure to log the iptables messages to a different log file
Open your /etc/syslog.conf file:
# vi /etc/syslog.conf
Append following line
kern.warning /var/log/iptables.log
Save and close the file.
Restart the syslogd (Debian / Ubuntu Linux):# /etc/init.d/sysklogd restartOn the other hand, use following command to restart syslogd under Red Hat/Cent OS/Fedora Core Linux:# /etc/init.d/syslog restart
Now make sure you pass the log-level 4 option with log-prefix to iptables. For example:
# DROP everything and Log it
iptables -A INPUT -j LOG --log-level 4
iptables -A INPUT -j DROP
For example, drop and log all connections from IP address 64.55.11.2 to your /var/log/iptables.log file:
iptables -A INPUT -s 64.55.11.2 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix '** HACKERS **'--log-level 4
iptables -A INPUT -s 64.55.11.2 -j DROP
Where,
- --log-level 4: Level of logging. The level # 4 is for warning.
- --log-prefix '*** TEXT ***': Prefix log messages with the specified prefix (TEXT); up to 29 letters long, and useful for distinguishing messages in the logs.
You can now see all iptables message logged to /var/log/iptables.log file:
# tail -f /var/log/iptables.log
Updated for accuracy.
Want to stay up to date with the latest Linux tips, news and announcements? Subscribe to our free e-mail newsletter or RSS feed to get all updates.
You can Email this page to a friend.
You may also be interested in other helpful articles:
- Linux Iptables Firewall: Log IP or TCP Packet Header
- Linux Iptables allow or open IMAP server port
- Force sendmail to deliver a message in sendmail’s mail queue
- How to: Linux Iptables block common attacks
- Linux Iptables allow or block ICMP ping request
Discussion on This Article:
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
Tags: debian iptables log, default log, fedora core, filter rules, iptables firewall, iptables firewall log, iptables log, iptables log analysis, iptables log analyzer, iptables log drop, iptables log packets, iptables logging, iptables syslog, iptales --LOG, linux iptables log, linux kernel, log message, log messages, packet filter, proto, red hat


I have absolutely no idea what you are talking about when you get to this part:
“Now make sure you pass the log-level 4 option with log-prefix to iptables.”
What is a “log-level 4 option”? What is a “log-prefix”? Why do I want to do this?
This is a huge problem in the Linux community, and the main reason most people steer clear of Linux: the people with all the know-how talk over the heads of everyone else, and won’t explain what the reason for doing something is, it’s “just do it, because I said to”.
Question: If I was to add
kern.warning /var/log/iptables.log
to ‘/etc/syslog.conf’ as stated above, does it then append anything at the “warning” level in the file ‘/var/log/iptables.log’, regardless of whether or not it has to do with IPTables?
Thanks.
Paul,
I don’t think this article was written as a ’step-by-step-iptables-how-to’… So the author might assume some familiarity with iptables.
I invite you to read
http://www.linuxguruz.com/iptables/howto/iptables-HOWTO-6.html#ss6.3
Specially the section
“Extensions to iptables: New Targets”
There is the answer to your questions
Now make sure you pass the log-level 4 option with log-prefix to iptables. For example:
# DROP everything and Log it
iptables -A INPUT -j LOG –log-level 4
No, it is just that some of us can actually read. The rest should steer clear of Linux.
Just to let you all know. Even though you are setting this to log to /var/log/iptables.log, it still logs into /var/log/messages.
I am working on a fix for this.
Shaun –
There is usually a syslog.conf rule that sends *.info to /var/log/messages
On my system (Fedora), it reads
*.info;mail.none;authpriv.none;cron.none /var/log/messages
I changed it to
*.info;kern.!=warning;mail.none;authpriv.none;cron.none /var/log/messages
and it stopped logging iptables stuff to the messages log.
Note, however, that it will now put ANY “warning” level kernel messages into the iptables.log
Thanks for the info. I used it and it works just as I’d hoped. No more excess info in /var/log/messages!! Thank you.
Excellent article!!!
And a few contrib:
iptables -t nat -I PREROUTING -s Paul -j DNAT http://www.microsoft.com
May be in this website the people is more clear !!!!!!!!
# DROP everything and Log it
iptables -A INPUT -j LOG –log-level 4
iptables -A INPUT -j DROP
the ‘-’ sign infront of log-level 4 should be ‘–’ instead
Sorry, I think there is problem with the web page.
The above post was to tell about double ‘-’ sign.
But the web page changed it to one ‘-’ sign.
sombatsombat,
The post has been updated to fix formatting. Thanks for the heads up.
This technique was working well for me under RedHat 9.0, but under CENTOS 5 the kernel spits out a bunch of warning messages for different situations, including a BIOS map on bootup, that result in a not-so-clean iptables log, and missing entries in /var/log/messages. It looks to me that the real solution is a change to iptables, however that might get accomplished.
I tried to use this method but it didnt work for me.
Here is what I did:
Edit the /etc/syslog.conf file by adding the following:
kern.warn /var/log/fwlog
In the iptables configuration file or using the shell add this command to log all the packets that are dropped (implicitely the log level is 4 by default):
iptables -A INPUT -j LOG
Then run this command in the shell to read the modified file again!
killall -HUP syslogd
Here’s how I did it:
In your firewall script, add “–log-level debug” to any logging commands.
In /etc/syslog.conf :
kern.=debug /var/log/iptables
This seams to work and doesn’t add anything to /var/log/iptables other than the iptables logs, I think mostly because very few other applications use the “debug” log level.