How to make Iptables log to a separate file?

M

mirus2014-11-03 09:52:07

Debian

mirus, 2014-11-03 09:52:07

Made these settings

/etc/rsyslog.d/iptables.conf со следующим содержанием:

echo ':msg, contains, "Iptables: " -/var/log/iptables.log' > /etc/rsyslog.d/iptables.conf
echo '& ~' >> /etc/rsyslog.d/iptables.conf
service rsyslog restart

iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG --log-prefix "Iptables: Ping detected: "
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT

and still iptqables writes its logs to dmesg, what's wrong?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

I

Ingvar, 2017-04-07
@take

another option:
notessysadmin.com/log-iptables-v-otdelnyj-file

K

Konstantin Rudenkov, 2014-11-24
@rudenkovk

Here I have the same problem. If I do, I'll share.
[upd] My working version:

cat /etc/rsyslog.d/20-iptables.conf
:msg, contains, "[BLACKLIST" /var/log/blacklist.log
:msg, contains, "[PING" /var/log/ping.log
:msg, contains, "[INTERNAL_ADDR" /var/log/internal_addr.log
:msg, contains, "[SCAN" /var/log/scan.log

${IPT} -A icmp_rules -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j LOG --log-prefix '[PING] : '

D

Dmitry, 2017-11-20
@helldweller

The order of connection of your config is important!
there is 50-default.conf - look at it, it wraps everything up to your config but does not stop processing.
Rename your config to 10-iptables.conf and you will be happy!
and add the stop or ~ option to stop the processing of these messages.
Example

if ( $syslogtag == "nginx_access:" ) then {
    action(type="omfile" file="/var/log/nginx_access.log")
    stop
}

or

if $programname startswith "nginx_access" then /var/log/nginx_access.log
&~
if $programname startswith "nginx_error" then /var/log/nginx_error.log
&~

Here is a good article