April 3, 2015

Force IPTABLES to log message to a different file

Iptables is used implement firewall rules in Linux Operating System. As per man page of Iptables, it is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables such as filter, nat, mangle, raw and security may be defined. Each such table contains a number of built-in chains which is a list of rules to match a set of packets and  specifies what to do with a packet.

Iptables is a kernel module and being kernel modules all of its logs are stored at /var/log/messages file. However you can change this location to allow Iptables to stored all its logs at some other location.

Steps to log all iptables messages to a different file

1. Open /etc/syslog.conf file
According to man page of syslog.conf, the syslog.conf file is the main  configuration file for syslogd which logs system messages on linux system. This file specifies rules for logging. Every rule consists of two fields, a selector field and an action filed. These two fields are seperated by one or more spaces or tabs. The selector field specifies a pattern of facilities and priorities belonging to the specific action.

To open the syslog.conf enter the following command:
gedit  /etc/syslog.conf 

If your system does not have gedit then you may use any text editor tools like vi, vim , etc instead of gedit.


2. Edit /etc/syslog.conf file
After opening syslog.conf in text editor, append following line into it.

kern.*            /var/log/iptables

Now save and close the file.


 NOTE: Kernel messgae/logs are of 8 types/level. "kern.*" will log all kind of kernel message. If you want to have kernel message of particular level only you need to specify that.
For example, to log only debug and warning messages you need to append following line
kern.warning,kern.debug     /var/log/iptables

Following type of log level are present for kernel  messages:

 0 
Emergency: System is unusable
1
Alert: Action must be taken immediately
2
Critical: critical conditions
3
Error: Error conditions
4
Warning: Warning conditions
5
Notice: Normal but significant conditions
6
Informational: Informational messages
7
Debug: Debug level messages





3. Restart the syslogd/sysklog.d  service
syslogd/sysklogd  are system utilities which provide support for system logging and kernel messgae trapping.
To restart system and kernel message logging execute following command
service sysklogd restart         // For Debian and Ubuntu Linux
service syslogd restart         // For Redhat, CentOS, Fedora




No comments:

Post a Comment