Mailing List Archive: How to make iptables log to a separate log file?

How to make iptables log to a separate log file?

Nov 27, 2005, 8:09 AM

Post #1 of 10 (12313 views)

Hello everyone,

I have installed iptables yesterday and currently using a basic script from
web to enable firewall. The script logs the dropped packets using following
entries

/sbin/iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
/sbin/iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix
"FIREWALL:INVALID "

iptables seem to be working fine but the problem is that it is logging
everything in /var/log/messages but I want it to log it some other file. May
be /var/log/iptables. I have googled and found that syslog-ng can do it and
some entries in /etc/syslog-ng/syslog-ng.conf should work but I am not sure
how to do it. "man syslog-ng.conf" is not making much sense for me either
(newbie).

Can some one please give me any links where I can read about how to easily
configure syslog-ng.conf and achieve what I desire. If you could give exact
entries then I would be more than greatful.

TIA
Regards,
Abhay Kedia

Re: How to make iptables log to a separate log file? [ In reply to ]

moixa at gmx

Nov 27, 2005, 8:24 AM

Post #2 of 10 (12198 views)

Permalink

on 2005-11-27 16:09 Abhay Kedia wrote the following:
> Can some one please give me any links where I can read about how to easily
> configure syslog-ng.conf and achieve what I desire. If you could give exact
> entries then I would be more than greatful.

I do iptables with --log-prefix "{fw}"
and in my syslog-ng.conf
<snip>
source s_kern { pipe("/proc/kmsg"); };

destination d_kernel { file("/var/log/kernel.log"); };
destination d_firewall { file("/var/log/firewall.log"); };

filter f_firewall { match('\{fw\}'); };
filter f_notfirewall { not match('\{fw\}'); };

# log kernel messages
log { source(s_kern); filter(f_kern); filter(f_notfirewall);
destination(d_kernel); };
# firewall messages
log { source(s_kern); filter(f_firewall);
destination(d_firewall); };
</snip>

Cheers
Tobias

--
GPG-Key 0xEF37FF28 - 1024/4096 DSA/ELG-E - 16.11.2001
Fingerprint: 3C4B 155F 2621 CEAF D3A6 0CCB 937C 9597 EF37 FF28

Re: How to make iptables log to a separate log file? [ In reply to ]

klausman at schwarzvogel

Nov 27, 2005, 8:39 AM

Post #3 of 10 (12198 views)

Permalink

Hi!

On Sun, 27 Nov 2005, Tobias Sager wrote:
> on 2005-11-27 16:09 Abhay Kedia wrote the following:
> > Can some one please give me any links where I can read about how to easily
> > configure syslog-ng.conf and achieve what I desire. If you could give exact
> > entries then I would be more than greatful.
>
> I do iptables with --log-prefix "{fw}"
> and in my syslog-ng.conf
> <snip>
> ...
> </snip>

I use a different approach: I changed my iptables rules to use
the ulog (user-space logging) target and I run ulogd.

The main advantage and the reason why I use that is that iptables
logging messages tend to clutter up the kernel message log if not
treated specially. Also, they can be an annoyance on the console
(yes I know about console_loglevel).

Some also use ulog to put their iptables logs into databases
which can then be searched in more complex ways than a simple
grep would allow.

As usual, YMMV.

Regards, Tobias

--
export DISPLAY=vt100
--
gentoo-security@gentoo.org mailing list

Re: How to make iptables log to a separate log file? [ In reply to ]

gymer at odense

Nov 27, 2005, 8:46 AM

Post #4 of 10 (12192 views)

Permalink

Try using ULOG with the ULOGD daemon

> I have installed iptables yesterday and currently using a basic script from
> web to enable firewall. The script logs the dropped packets using following
> entries
>
> /sbin/iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
> /sbin/iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix
> "FIREWALL:INVALID "
>
> iptables seem to be working fine but the problem is that it is logging
> everything in /var/log/messages but I want it to log it some other file. May
> be /var/log/iptables. I have googled and found that syslog-ng can do it and
> some entries in /etc/syslog-ng/syslog-ng.conf should work but I am not sure
> how to do it. "man syslog-ng.conf" is not making much sense for me either
> (newbie).
>
> Can some one please give me any links where I can read about how to easily
> configure syslog-ng.conf and achieve what I desire. If you could give exact
> entries then I would be more than greatful.
>
> TIA
> Regards,
> Abhay Kedia

--
Venlig hilsen / Best regards
Lasse Birnbaum Jensen
--
gentoo-security@gentoo.org mailing list

Re: How to make iptables log to a separate log file? [ In reply to ]

sma at fsmpi

Nov 27, 2005, 11:14 AM

Post #5 of 10 (12197 views)

Permalink

You can use following entrys in your syslog-ng.conf to log firewall messages
to a seperate file than the normal kernel output.

# source kernsrc { file("/proc/kmsg"); };
# destination kern { file("/var/log/kern.log"); };
# destination firewall { file("/var/log/firewall.log"); };
# filter f_firewall { match("firewall"); };
# filter f_kern { facility(kern) and not filter(f_firewall);};
# log { source(kernsrc); filter(f_kern); destination(kern); };
# log { source(kernsrc); filter(f_firewall); destination(firewall); };

On Sunday 27 November 2005 15:46, Lasse Birnbaum Jensen wrote:
> Try using ULOG with the ULOGD daemon
>
> > I have installed iptables yesterday and currently using a basic script
> > from web to enable firewall. The script logs the dropped packets using
> > following entries
> >
> > /sbin/iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
> > /sbin/iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG
> > --log-prefix "FIREWALL:INVALID "
> >
> > iptables seem to be working fine but the problem is that it is logging
> > everything in /var/log/messages but I want it to log it some other file.
> > May be /var/log/iptables. I have googled and found that syslog-ng can do
> > it and some entries in /etc/syslog-ng/syslog-ng.conf should work but I am
> > not sure how to do it. "man syslog-ng.conf" is not making much sense for
> > me either (newbie).
> >
> > Can some one please give me any links where I can read about how to
> > easily configure syslog-ng.conf and achieve what I desire. If you could
> > give exact entries then I would be more than greatful.
> >
> > TIA
> > Regards,
> > Abhay Kedia
>
> --
> Venlig hilsen / Best regards
> Lasse Birnbaum Jensen

--
Fachschaft Mathematik/Physik
Andreas Herrmann
University of Bayreuth
95440 Bayreuth
Germany

email sma@fsmpi.uni-bayreuth.de
www http://hacktor.fs.uni-bayreuth.de/~sma/
private +44-787-0115648
--
gentoo-security@gentoo.org mailing list

Re: How to make iptables log to a separate log file? [ In reply to ]

maxiez at maxiez

Nov 27, 2005, 11:31 AM

Post #6 of 10 (12203 views)

Permalink

On Sun, Nov 27, 2005 at 06:14:55PM +0000, Andreas Herrmann wrote:
> You can use following entrys in your syslog-ng.conf to log firewall messages
> to a seperate file than the normal kernel output.

I've recently done this. I have to say...wouldn't it make sense just to
enable it to log to an arbitrary file?

personally that would be a pain in the butt as I'm using remote logging,
but wouldn't it make sense?

--
MaxieZ
maxiez@maxiez.com

If God wanted us to be brave, why did he give us legs?
-- Marvin Kitman

Re: How to make iptables log to a separate log file? [ In reply to ]

abhay.ilugd at gmail

Nov 27, 2005, 12:27 PM

Post #7 of 10 (12205 views)

Permalink

On Sunday 27 Nov 2005 9:09 pm, Tobias Klausmann wrote:
>
> The main advantage and the reason why I use that is that iptables
> logging messages tend to clutter up the kernel message log if not
> treated specially.
>
Yes and this is why I want them to be logged separately. Thanks to the helpful
replies by everyone, I have been able to log iptables log to a separate file
but the problem still remains.

/var/log/messages is getting flooded by iptables log. I can't see any helpful
output by using dmesg. The kernel config says that ULOG is deprecated so I
don't know how good it would be to use it. Also the kernel.log/kern.log is
not getting updated with messages like connection of a USB device and all; so
can't leave dmesg altogether.

Since it is a desktop machine, I will not be making database of my firewall
logs.Just require my dmesg output to be clean while having the ability of
looking at firewall logs occasionally. How can I achieve that? Should I
switch to ULOG? I am just a bit sceptical about using a deprecated thing.

Thanks once again to everyone for their replies
Regards,

Abhay

Re: How to make iptables log to a separate log file? [ In reply to ]

christophe.choumert at polytechnique

Nov 27, 2005, 8:27 PM

Post #8 of 10 (12204 views)

Permalink

On Sunday 27 November 2005 11:27, Abhay Kedia wrote:
> /var/log/messages is getting flooded by iptables log. I can't see any
> helpful output by using dmesg. The kernel config says that ULOG is
> deprecated so I don't know how good it would be to use it. Also the
> kernel.log/kern.log is not getting updated with messages like
> connection of a USB device and all; so can't leave dmesg altogether.

To get a clearer /var/log/messages, you can use the f_notfirewall filter
proposed earlier in the thread, with something like :
log { source(src); filter(f_notfirewall); destination(messages); };
in syslog-ng.conf.

However dmesg will still be cluttered : I don't think you have any other
sane solution than ULOG for this.
Or maybe you should investigate why the usb messages are discarded ?

Regards,
Christophe
--
gentoo-security@gentoo.org mailing list

Re: How to make iptables log to a separate log file? [ In reply to ]

aa6qn at aa6qn

Dec 4, 2005, 7:38 AM

Post #9 of 10 (12197 views)

Permalink

> You can use following entrys in your syslog-ng.conf to log firewall
> messages
> to a seperate file than the normal kernel output.
>
> # source kernsrc { file("/proc/kmsg"); };
> # destination kern { file("/var/log/kern.log"); };
> # destination firewall { file("/var/log/firewall.log"); };
> # filter f_firewall { match("firewall"); };
> # filter f_kern { facility(kern) and not filter(f_firewall);};
> # log { source(kernsrc); filter(f_kern); destination(kern); };
> # log { source(kernsrc); filter(f_firewall); destination(firewall); };
>
>

Just wanted to say thank you for the input. You gave me a great idea
where-as I used --log-prefix field in iptables to give each log a unique
flag (in my case its "IPT" ie. --log-prefix "IPT New SSH on eth0".

Then I filtered the syslog-ng on "IPT" and forwarded to /var/log/firewall.log

JohnF

--
gentoo-security@gentoo.org mailing list

Re: How to make iptables log to a separate log file? [ In reply to ]

sf at b-i-t

Jun 17, 2008, 1:46 AM

Post #10 of 10 (12191 views)

Permalink

Abhay Kedia wrote:
...
> Yes and this is why I want them to be logged separately. Thanks to the helpful
> replies by everyone, I have been able to log iptables log to a separate file
> but the problem still remains.
>
> /var/log/messages is getting flooded by iptables log. I can't see any helpful
...

Use

flags(final);

in syslog-ng's log entry for iptables and put this log entry before all
others in syslog-ng.conf.

(The man page for syslog-ng.conf is incomplete. For detailed
documentation read /usr/share/doc/syslog-ng-1.6.8-r1/syslog-ng.txt.gz.)

Regards
Stephan

--
gentoo-security@gentoo.org mailing list

Mailing List Archive

Mailing List Archive

Attached Files: