How to Change Location of IPTables Logs

  • Check if you have RsysLog installed and running
root@vagrant:/home/vagrant# dpkg -l | grep rsyslog
ii rsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon
root@vagrant:/home/vagrant# systemctl status rsyslog
● rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2020-07-20 17:59:56 UTC; 16min ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 813 (rsyslogd)
Tasks: 4 (limit: 1111)
CGroup: /system.slice/rsyslog.service
└─813 /usr/sbin/rsyslogd -n
Jul 20 17:59:56 vagrant systemd[1]: Starting System Logging Service...
Jul 20 17:59:56 vagrant systemd[1]: Started System Logging Service.
Jul 20 17:59:56 vagrant rsyslogd[813]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.32.0 try http://www.
Jul 20 17:59:56 vagrant rsyslogd[813]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.32.0]
Jul 20 17:59:56 vagrant rsyslogd[813]: rsyslogd's groupid changed to 106
Jul 20 17:59:56 vagrant rsyslogd[813]: rsyslogd's userid changed to 102
Jul 20 17:59:56 vagrant rsyslogd[813]: [origin software="rsyslogd" swVersion="8.32.0" x-pid="813" x-info="http://www.rsyslog.com"] start
  • Configure your IPTABLES rules with --log-prefix
root@vagrant:/home/vagrant# iptables -A INPUT -p tcp --dport 22 --syn -j LOG --log-prefix "[IPTABLES]: "
  • Create configuration file for RsysLog
root@vagrant:/home/vagrant# touch /etc/rsyslog.d/10-iptables.conf
  • Open this file and paste below configuration and tne save file
:msg, contains, "[IPTABLES]: " -/var/log/firewall.log
& ~
  • Restart RsysLog service
root@vagrant:/home/vagrant# systemctl restart rsyslog

Check configuration

root@vagrant:/var/log# tail -f firewall.log
Jul 20 18:32:42 vagrant kernel: [ 3517.029908] [IPTABLES]: IN=enp0s8 OUT= MAC=11:11:11:11:11:11:11:11:11:11:11:11:11:11 SRC=192.168.123.1 DST=192.168.123.123 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=30896 DF PROTO=TCP SPT=34987 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
Jul 20 18:34:07 vagrant kernel: [ 3601.405900] [IPTABLES]: IN=enp0s8 OUT= MAC=11:11:11:11:11:11:11:11:11:11:11:11:11:11 SRC=192.168.123.1 DST=192.168.123.123 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=31057 DF PROTO=TCP SPT=34989 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
Jul 20 18:34:11 vagrant kernel: [ 3605.834510] [IPTABLES]: IN=enp0s8 OUT= MAC=11:11:11:11:11:11:11:11:11:11:11:11:11:11 SRC=192.168.123.1 DST=192.168.123.123 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=31068 DF PROTO=TCP SPT=34990 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
Jul 20 18:34:14 vagrant kernel: [ 3608.304361] [IPTABLES]: IN=enp0s8 OUT= MAC=11:11:11:11:11:11:11:11:11:11:11:11:11:11 SRC=192.168.123.1 DST=192.168.123.123 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=31079 DF PROTO=TCP SPT=34991 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
Jul 20 18:34:16 vagrant kernel: [ 3610.337227] [IPTABLES]: IN=enp0s8 OUT= MAC=11:11:11:11:11:11:11:11:11:11:11:11:11:11 SRC=192.168.123.1 DST=192.168.123.123 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=31090 DF PROTO=TCP SPT=34992 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0

 by the author.

--

--

--

DevOps Consultant. I’m strongly focused on automation, security, and reliability.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The difference between project charter and project scope statement

Must Read 10 Spring Boot Interview Questions & Answers

FULL-STACK : DEMAND AND OPPORUNITIES

“I Contribute to the Windows Kernel. We Are Slower Than Other Operating Systems. Here Is Why.”

OMG, ERP! Implementation Risks & Challenges You Hadn’t Thought About

ERP implementation

Define Steps as Regular Ruby Methods

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Maciej

Maciej

DevOps Consultant. I’m strongly focused on automation, security, and reliability.

More from Medium

Cheat Sheet for DevOps: .gitlab-ci.yml (GitLab)

Create GitLab Environment For Testing.

Replace Docker Desktop with minikube on macOS

Setting up a k8s dev environment in 2022