How to Change Location of IPTables Logs

Logs are a very important aspect of any firewall. In IPTables, linux provides such functionality as logging, but by default the logs go to a file /var/log/syslog or /var/log/messages . Sometimes it can be hard to find the information you need, as logs from the entire system are also found there.

If you want to change the file where IPTables logs into, you must configure IPTables rules to display the log prefix, next thing is configure RsysLog to get this prefix and send this to a custom log file that contains only iptables log information.

root@vagrant:/home/vagrant# dpkg -l | grep rsyslog
ii rsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon
root@vagrant:/home/vagrant# systemctl status rsyslog
● rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2020-07-20 17:59:56 UTC; 16min ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 813 (rsyslogd)
Tasks: 4 (limit: 1111)
CGroup: /system.slice/rsyslog.service
└─813 /usr/sbin/rsyslogd -n
Jul 20 17:59:56 vagrant systemd[1]: Starting System Logging Service...
Jul 20 17:59:56 vagrant systemd[1]: Started System Logging Service.
Jul 20 17:59:56 vagrant rsyslogd[813]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.32.0 try http://www.
Jul 20 17:59:56 vagrant rsyslogd[813]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.32.0]
Jul 20 17:59:56 vagrant rsyslogd[813]: rsyslogd's groupid changed to 106
Jul 20 17:59:56 vagrant rsyslogd[813]: rsyslogd's userid changed to 102
Jul 20 17:59:56 vagrant rsyslogd[813]: [origin software="rsyslogd" swVersion="8.32.0" x-pid="813" x-info="http://www.rsyslog.com"] start
root@vagrant:/home/vagrant# iptables -A INPUT -p tcp --dport 22 --syn -j LOG --log-prefix "[IPTABLES]: "
root@vagrant:/home/vagrant# touch /etc/rsyslog.d/10-iptables.conf
:msg, contains, "[IPTABLES]: " -/var/log/firewall.log
& ~

Explanation:

First line check data log for word [IPTABLES] : and if the word is found it will be sent to the file /var/log/firewall.log

Second line is responsible for stopping the log processing and sending it to the standard location in this case /var/log/syslog or /var/log/messages

root@vagrant:/home/vagrant# systemctl restart rsyslog

Check configuration

Connect to the server from another machine on port 22. When you connect in the /var/log/ directory, the firewall.log file will appear.

Now we can freely view the log file in which there are only entries related to the firewall

root@vagrant:/var/log# tail -f firewall.log
Jul 20 18:32:42 vagrant kernel: [ 3517.029908] [IPTABLES]: IN=enp0s8 OUT= MAC=11:11:11:11:11:11:11:11:11:11:11:11:11:11 SRC=192.168.123.1 DST=192.168.123.123 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=30896 DF PROTO=TCP SPT=34987 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
Jul 20 18:34:07 vagrant kernel: [ 3601.405900] [IPTABLES]: IN=enp0s8 OUT= MAC=11:11:11:11:11:11:11:11:11:11:11:11:11:11 SRC=192.168.123.1 DST=192.168.123.123 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=31057 DF PROTO=TCP SPT=34989 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
Jul 20 18:34:11 vagrant kernel: [ 3605.834510] [IPTABLES]: IN=enp0s8 OUT= MAC=11:11:11:11:11:11:11:11:11:11:11:11:11:11 SRC=192.168.123.1 DST=192.168.123.123 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=31068 DF PROTO=TCP SPT=34990 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
Jul 20 18:34:14 vagrant kernel: [ 3608.304361] [IPTABLES]: IN=enp0s8 OUT= MAC=11:11:11:11:11:11:11:11:11:11:11:11:11:11 SRC=192.168.123.1 DST=192.168.123.123 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=31079 DF PROTO=TCP SPT=34991 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
Jul 20 18:34:16 vagrant kernel: [ 3610.337227] [IPTABLES]: IN=enp0s8 OUT= MAC=11:11:11:11:11:11:11:11:11:11:11:11:11:11 SRC=192.168.123.1 DST=192.168.123.123 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=31090 DF PROTO=TCP SPT=34992 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0

DevOps Consultant. I’m strongly focused on automation, security, and reliability.