May 19

By default, Iptables log message to a /var/log/messages file. However you can change this location. I will show you how to create a new logfile called /var/log/iptables.log. Changing or using a new file allows you to create better statistics and/or allows you to analyze the attacks.

Procedure to log the iptables messages to a different log file

Open your /etc/syslog.conf file:
# vi /etc/syslog.conf
Append following line
kern.warning /var/log/iptables.log

Save and close the file.

Restart the syslogd (Debian / Ubuntu Linux):

# /etc/init.d/sysklogd restart

On the other hand, use following command to restart syslogd under Red Hat/Cent OS/Fedora Core Linux:

# /etc/init.d/syslog restart

Now make sure you pass the log-level 4 option with log-prefix to iptables. For example:
# DROP everything and Log it
iptables -A INPUT -j LOG --log-level 4
iptables -A INPUT -j DROP

For example, drop and log all connections from IP address 1.1.1.1 to your /var/log/iptables.log file:
iptables -A INPUT -s 1.1.1.1 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix '** HACKERS **'--log-level 4
iptables -A INPUT -s 1.1.1.1 -j DROP

Where,

  • --log-level 4: Level of logging. The level # 4 is for warning.
  • --log-prefix '*** TEXT ***': Prefix log messages with the specified prefix (TEXT); up to 29 letters long, and useful for distinguishing messages in the logs.

You can now see all iptables message logged to /var/log/iptables.log file:
# tail -f /var/log/iptables.log

 

written by MG \\ tags: , ,


5 Responses to “Force iptables to log messages to a different log file”

  1. 1. Ali Says:

    You’re a life saver 🙂

  2. 2. Pol Says:

    cool! thanks! 🙂

    Pol

  3. 3. sam Says:

    Thx for informative information.

  4. 4. Marius Says:

    How about logrotate it ?
    It will grow bigger and bigger and eventualy your box will work slowly.
    Depending on logging options, every day the log will grow with at least 200kB, going to few megs. In a month you’ll have a monster. Can you aford it ?

  5. 5. Santhosh Krishna Says:

    Can you please tel me how to force Mysql to log in /var/log/messages instead of mysqld.log ?

    I edited /etc/my.cnf file in the following way,

    log-error=/var/log/messages

    but, still no use.

Leave a Reply

*