Enabling logging on iptables is helpful for monitoring traffic coming to our server. This we we can also find number of hits done from any ip. This article will help for enable loging in iptables for all packets filtered by iptables.
Enable Iptables LOG
We can simply use following command to enable logging in iptables.
$ iptables -A INPUT -j LOG
We can also define the source ip or range for which log will be created.
$ iptables -A INPUT -s 192.168.10.0/24 -j LOG
To define level of LOG generated by iptables us –log-level followed by level number.
$ iptables -A INPUT -s 192.168.10.0/24 -j LOG --log-level 4
We can also add some prefix in generated Logs, So it will be easy to search for logs in a huge file.
$ iptables -A INPUT -s 192.168.10.0/24 -j LOG --log-prefix '** SUSPECT **'
View Iptables LOG
After enabling iptables logs. check following log files to view logs generated by iptables as per your operating system.
On Ubuntu and Debian
iptables logs are generated by the kernel. So check following kernel log file.
$ tailf /var/log/kern.log
On CentOS/RHEL and Fedora
# cat /var/log/messages
Change Iptables LOG File Name
To change iptables log file name edit /etc/rsyslog.conf file and add following configuration in file.
# vi /etc/syslog.conf
Add following line
kern.warning/var/log/iptables.log
Now restart rsyslog service using following command.
$ service rsyslog restart
If you have dificulty to log packets with anothers rules, use ‘iptables -I’ instead of ‘-A’, this put your logging rule at top of rules. Netfilter matches others rules and stop processing, but LOG is a non-blocking target, it’s secure to put in first place.
Great post thank you
Not very flexible youre solution.
Better try this
nano /etc/rsyslog.d/iptables.conf
add this:
“:msg,contains,”** SUSPECT **” /var/log/iptables.log
&~
”
without the quotes ofc
then
service rsyslog restart
done
cheers
Thanks for the information here. Just wanted to let you know, there is a type on one line.
vi /etc/syslog.conf
This should be
vi /etc/rsyslog.conf