Iptables – Redirecting log from /var/log/kern.log to a separate log file for iptables log

iptablesrsyslogubuntu-14.04

I am trying to redirect iptables log to another file. Based upon my reading on the net, I did the following:

In my iptables rule, I have rules like:

iptables -A INPUT -s … -j LOG –log-prefix "iptables@@"
Then in the folder /etc/rsyslog.d, I created a file with the entries:

:msg,contains,"iptables@@" /var/log/iptables.log
& ~
I also tried to have a blank line between the above two lines. I do get the iptables log entries now going to iptables.log file. But they ALSO go to /var/log/kern.log file. I want to suppress the later. How do I do this. I am running Ubuntu 14.04 LTS.

Best Answer

When your /etc/rsyslog.conf loads yours *.conf in /etc/rsyslog.d, it reads your files alphabetically. So, you need to make sure that your rules are in a file that comes before 50-default.conf, like:

01-myiptablesrules.conf

This way, your rules will be read first, and discard it. You should also use this syntax:

:msg, contains, "iptables@@" {
  *.* /var/log/iptables.log
  stop
}

*You should use stop instead of ~

Or if you don't have others kern.* than your iptables messages, you should modify 50-default.conf with:

kern.*            /var/log/iptables.log

Related Solutions

Linux iptables – Troubleshooting Logging Issues

Instead of "[IPTABLES]", try using "IPTABLES" only. It may work.

Ubuntu – How to log iptables in Ubuntu just in /var/log/firewall with rsyslogd

Use a discard action after the iptables log, but before the other logs.

kern.warning   /var/log/firewall.log
kern.warning   ~
*.*            /var/log/messages

Best Answer

Related Solutions

Linux iptables – Troubleshooting Logging Issues

Ubuntu – How to log iptables in Ubuntu just in /var/log/firewall with rsyslogd

Related Topic