How to Change Location of IPTables Logs

root@vagrant:/home/vagrant# dpkg -l | grep rsyslog
ii rsyslog 8.32.0-1ubuntu4 amd64 reliable system and kernel logging daemon
root@vagrant:/home/vagrant# systemctl status rsyslog
● rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2020-07-20 17:59:56 UTC; 16min ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 813 (rsyslogd)
Tasks: 4 (limit: 1111)
CGroup: /system.slice/rsyslog.service
└─813 /usr/sbin/rsyslogd -n
Jul 20 17:59:56 vagrant systemd[1]: Starting System Logging Service...
Jul 20 17:59:56 vagrant systemd[1]: Started System Logging Service.
Jul 20 17:59:56 vagrant rsyslogd[813]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.32.0 try http://www.
Jul 20 17:59:56 vagrant rsyslogd[813]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.32.0]
Jul 20 17:59:56 vagrant rsyslogd[813]: rsyslogd's groupid changed to 106
Jul 20 17:59:56 vagrant rsyslogd[813]: rsyslogd's userid changed to 102
Jul 20 17:59:56 vagrant rsyslogd[813]: [origin software="rsyslogd" swVersion="8.32.0" x-pid="813" x-info="http://www.rsyslog.com"] start
root@vagrant:/home/vagrant# iptables -A INPUT -p tcp --dport 22 --syn -j LOG --log-prefix "[IPTABLES]: "
root@vagrant:/home/vagrant# touch /etc/rsyslog.d/10-iptables.conf
:msg, contains, "[IPTABLES]: " -/var/log/firewall.log
& ~

Explanation:

root@vagrant:/home/vagrant# systemctl restart rsyslog

Check configuration

root@vagrant:/var/log# tail -f firewall.log
Jul 20 18:32:42 vagrant kernel: [ 3517.029908] [IPTABLES]: IN=enp0s8 OUT= MAC=11:11:11:11:11:11:11:11:11:11:11:11:11:11 SRC=192.168.123.1 DST=192.168.123.123 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=30896 DF PROTO=TCP SPT=34987 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
Jul 20 18:34:07 vagrant kernel: [ 3601.405900] [IPTABLES]: IN=enp0s8 OUT= MAC=11:11:11:11:11:11:11:11:11:11:11:11:11:11 SRC=192.168.123.1 DST=192.168.123.123 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=31057 DF PROTO=TCP SPT=34989 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
Jul 20 18:34:11 vagrant kernel: [ 3605.834510] [IPTABLES]: IN=enp0s8 OUT= MAC=11:11:11:11:11:11:11:11:11:11:11:11:11:11 SRC=192.168.123.1 DST=192.168.123.123 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=31068 DF PROTO=TCP SPT=34990 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
Jul 20 18:34:14 vagrant kernel: [ 3608.304361] [IPTABLES]: IN=enp0s8 OUT= MAC=11:11:11:11:11:11:11:11:11:11:11:11:11:11 SRC=192.168.123.1 DST=192.168.123.123 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=31079 DF PROTO=TCP SPT=34991 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
Jul 20 18:34:16 vagrant kernel: [ 3610.337227] [IPTABLES]: IN=enp0s8 OUT= MAC=11:11:11:11:11:11:11:11:11:11:11:11:11:11 SRC=192.168.123.1 DST=192.168.123.123 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=31090 DF PROTO=TCP SPT=34992 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0

 by the author.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store