Force iptables to log messages to a different log file

Posted on in Categories Iptables, Linux, Monitoring, Security last updated October 3, 2006

According to man page:
Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user defined chains.

By default, Iptables log message to a /var/log/messages file. However you can change this location. I will show you how to create a new logfile called /var/log/iptables.log. Changing or using a new file allows you to create better statistics and/or allows you to analyze the attacks.

Iptables default log file

For example, if you type the following command, it will display current iptables log from /var/log/messages file:
# tail -f /var/log/messages
Output:

Oct  4 00:44:28 debian gconfd (vivek-4435): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2
Oct  4 01:14:19 debian kernel: IN=ra0 OUT= MAC=00:17:9a:0a:f6:44:00:08:5c:00:00:01:08:00 SRC=200.142.84.36 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=18374 DF PROTO=TCP SPT=46040 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Oct  4 00:13:55 debian kernel: IN=ra0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:18:de:55:0a:56:08:00 SRC=192.168.1.30 DST=192.168.1.255LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=13461 PROTO=UDP SPT=137 DPT=137 LEN=58

Procedure to log the iptables messages to a different log file

Open your /etc/syslog.conf file:
# vi /etc/syslog.conf
Append following line
kern.warning /var/log/iptables.log
Save and close the file.

Restart the syslogd (Debian / Ubuntu Linux):# /etc/init.d/sysklogd restartOn the other hand, use following command to restart syslogd under Red Hat/Cent OS/Fedora Core Linux:# /etc/init.d/syslog restart

Now make sure you pass the log-level 4 option with log-prefix to iptables. For example:
# DROP everything and Log it
iptables -A INPUT -j LOG --log-level 4
iptables -A INPUT -j DROP

For example, drop and log all connections from IP address 64.55.11.2 to your /var/log/iptables.log file:
iptables -A INPUT -s 64.55.11.2 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix '** HACKERS **'--log-level 4
iptables -A INPUT -s 64.55.11.2 -j DROP

Where,

  • –log-level 4: Level of logging. The level # 4 is for warning.
  • –log-prefix ‘*** TEXT ***’: Prefix log messages with the specified prefix (TEXT); up to 29 letters long, and useful for distinguishing messages in the logs.

You can now see all iptables message logged to /var/log/iptables.log file:
# tail -f /var/log/iptables.log

Updated for accuracy.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

41 comment

  1. I have absolutely no idea what you are talking about when you get to this part:

    “Now make sure you pass the log-level 4 option with log-prefix to iptables.”

    What is a “log-level 4 option”? What is a “log-prefix”? Why do I want to do this?

    This is a huge problem in the Linux community, and the main reason most people steer clear of Linux: the people with all the know-how talk over the heads of everyone else, and won’t explain what the reason for doing something is, it’s “just do it, because I said to”.

    1. Try google searching for iptables logging. The main reason *nix people do not explain every detail is that the assumption is that a good sysadmin will man/google search. Though in this case the writer offered the answer to your question with the code block above the –log-level text As to why. Iptables does not log by default you therefore must tell it to log. You want to log if you care to see what was blocked. Very useful when users complain that they can’t get to some of your servers resources.

      1. this is really frustrating after manually enter every iptables rules, what should i do know? re enter all the rules just for enable logging? and os official manual are as less help as it can be, all are non official what so ever people talking about unreliable stuff

  2. Question: If I was to add

    kern.warning /var/log/iptables.log

    to ‘/etc/syslog.conf’ as stated above, does it then append anything at the “warning” level in the file ‘/var/log/iptables.log’, regardless of whether or not it has to do with IPTables?

    Thanks.

  3. Now make sure you pass the log-level 4 option with log-prefix to iptables. For example:
    # DROP everything and Log it
    iptables -A INPUT -j LOG –log-level 4

    No, it is just that some of us can actually read. The rest should steer clear of Linux.

  4. Shaun —

    There is usually a syslog.conf rule that sends *.info to /var/log/messages

    On my system (Fedora), it reads
    *.info;mail.none;authpriv.none;cron.none /var/log/messages

    I changed it to
    *.info;kern.!=warning;mail.none;authpriv.none;cron.none /var/log/messages

    and it stopped logging iptables stuff to the messages log.

    Note, however, that it will now put ANY “warning” level kernel messages into the iptables.log

  5. This technique was working well for me under RedHat 9.0, but under CENTOS 5 the kernel spits out a bunch of warning messages for different situations, including a BIOS map on bootup, that result in a not-so-clean iptables log, and missing entries in /var/log/messages. It looks to me that the real solution is a change to iptables, however that might get accomplished.

  6. I tried to use this method but it didnt work for me.
    Here is what I did:
    Edit the /etc/syslog.conf file by adding the following:
    kern.warn /var/log/fwlog
    In the iptables configuration file or using the shell add this command to log all the packets that are dropped (implicitely the log level is 4 by default):
    iptables -A INPUT -j LOG
    Then run this command in the shell to read the modified file again!
    killall -HUP syslogd

  7. Here’s how I did it:

    In your firewall script, add “–log-level debug” to any logging commands.

    In /etc/syslog.conf :
    kern.=debug /var/log/iptables

    This seams to work and doesn’t add anything to /var/log/iptables other than the iptables logs, I think mostly because very few other applications use the “debug” log level.

  8. in general, this worked fine for me, even though i used the log-levels names instead of numbers.
    after i had everything set-up, the settings didnt seem to have any effect until i noticed i had
    to explicitly restart the kernel log daemon (/etc/init.d/klogd restart). i dont know if this is true for any other distributions than debian, which i’m running.
    a nice documentation of the predefined iptables targets, such as LOG, can be found here:
    http://www.faqs.org/docs/iptables/targets.html
    under 6.5.4. LOG target, the topic discussed here is also explained another time for the –log-level option

  9. Mario:

    don’t need to mock Paul like that… I feel for him and his frustration in getting “there” as well as I do for myself many times.
    Routines are there for something, we all hope that it is to make your life easier… but if in order to put the routines at your service you have to put yourself in the shoes of the programmer all the time (for the same ammount of time) then there is no point… and it really gets to you… Its indeed a proper critic in the linux scene.
    Now, we don’t need to immediately go to the other side of fence, even the best intended, most researchful guy out there gets some scratches jumping the fence.
    Neither autoshit from MS nor ultimate control from some pseudo-eleet.
    Linux diversity lacks in sinthesys!

    Respect kid.

  10. Don’t know if you guys had it, but i added that line is syslog.conf . then restarted it.
    added those lines in iptables then restarted it.
    the iptables log starts dumping on the active console.
    I had to log in rescue mode and undo the stuffs.
    may be cause i didn’t have the file /var/log/iptables ?
    later today, i will try touch the file and redo the whole thing.

    any alternate suggestions?

  11. Or you can use ulog.
    Install ulogd (in ubuntu: sudo apt-get install ulogd)

    If you use fwbuilder to configure your firewall then it’s simple.
    In fwbuilder, double click on your firewall –> Firewall Settings –> Logging –> use ULOG

    then compile and reinstall the policy and that’s it.
    The logs from iptables will be in /var/log/ulog/syslogemu.log

  12. HI,
    its cool, but for addition how do i get hostnames/FQDN of local nodes instead of IP address. i have dns on firewall system for all dynamic dhcp nodes. since logs are useful to get history of nodes, and all nodes are getting ip from dhcp. and this registers ip address to dns server.

    thanks.

  13. Hi
    i have configured 2 log files
    1.) iptable.log 2.)iptable1.log

    i want to write monitor or write log for an ip say 64.55.11.2 in iptable.log and another ip say 202.20.10.80 in iptable1.log is that possible and how to do this?. Thanks in advance…

  14. can i have a iptables logs on web page. i have installed “Iptables log analyzer 0.4 beta” but i think its for suse only and it doesn’t put logs to mysql db as it should do according to documentation.

  15. for ubuntu 9.10 users edit /etc/rsyslog.d/50-default.conf and dont forget to remove *.=warn part otherwise it will still write to var/log/messages. If anyone has a better method please suggest..

  16. In order to filter firewall logs from /var/log/messages use the below (in previous examples, “=” (equal sign) was used, but it is not working on RHEL for example.

    kern.warning /var/log/iptables.log
    *.info;kern.!warning;mail.none;authpriv.none;cron.none /var/log/messages

  17. Sound interesting.
    But I have a question? And if I would like to filtering mac address limiting the upload and download for any particular mac address?
    How I can do that?

    Thanks

  18. I would be careful with sentences like “iptables to log messages …”. First of all iptables can’t an doesn’t log anything, it’s just a command line tool to manage rules inside the kernel called “netfilter”. Netfilter and kernel itself does not log anything either, since log daemon log things. And the most important thing: as far as I see, it’s always a bit unfortunate to use the LOG target. Yeah, you can separate messages with log level, prefix etc, to have “different” one than other messages from the kernel which are logged by some log daemon then, but personally I think ULOG target is much more useful, and you don’t need to “hack” your log daemon either. You only need to run ulogd daemon which will log messages then into file or even MySQL table, and so on.

  19. on ubuntu/xubuntu add this to your rsyslogd.d/50-default.conf

    :msg,contains,”NETFILTER” /var/log/iptables.log

    when you want to log just add –log-prefix NETFILTER (personaly i split NETFILTER-IN NETFILTER-OUT and NETFILTER-FWD

  20. Hi!
    Thanks spongebob. I add some info. In debian you can add the following 2 lines in file /etc/rsyslog.conf (beginning of section RULES) or you can add a conf file in directory /etc/rsyslog.d/

    I use the string Shorewall but you can use any string (–log-prefix STRING as spongebob said).

    :msg, contains, "Shorewall"       /var/log/iptables.log
    :msg, contains, "Shorewall"     ~
    

    The first line sends messages that contain “Shorewall” to the file iptables.log. The second line discards messages that contain “Shorewall” so that they are not logged in the /var/log/messages.

    More info:
    http://www.rsyslog.com/doc/rsyslog_conf_filter.html

Leave a Comment