How to Enable Logging in Iptables on Linux

    RahulBy 2 Mins ReadUpdated:

    Enabling logging on iptables is helpful for monitoring traffic coming to our server. This we can also find the number of hits done from any IP. This article will help enable logging in iptables for all packets filtered by iptables.

    Enable Iptables LOG

    We can simply use following command to enable logging in iptables.

    iptables -A INPUT -j LOG

    We can also define the source ip or range for which log will be created.

    iptables -A INPUT -s 192.168.10.0/24 -j LOG

    To define level of LOG generated by iptables us –log-level followed by level number.

    iptables -A INPUT -s 192.168.10.0/24 -j LOG --log-level 4

    We can also add some prefix in generated Logs, So it will be easy to search for logs in a huge file.

    iptables -A INPUT -s 192.168.10.0/24 -j LOG --log-prefix '** SUSPECT **'

    View Iptables LOG

    After enabling iptables logs. check following log files to view logs generated by iptables as per your operating system.

    On Ubuntu and Debian

    iptables logs are generated by the kernel. So check following kernel log file.

    tail -f /var/log/kern.log

    On CentOS/RHEL and Fedora

    cat /var/log/messages

    Change Iptables LOG File Name

    To change iptables log file name edit /etc/rsyslog.conf file and add following configuration in file.

    vi /etc/syslog.conf

    Add the following line

    kern.warning /var/log/iptables.log

    Now, restart rsyslog service using the following command.

    service rsyslog restart
    Share.

    Related Posts

    6 Comments

    1. Bhushit on

      Hi All,
      I want to log the NAT translations(source NAT) along with the timestamps, Info I want is:
      source IP(unnatted) source port dest IP dest port :: source IP(natted) source port dest IP dest port

      Please help me if its possible.

      Reply
    3. Henrique on

      If you have dificulty to log packets with anothers rules, use ‘iptables -I’ instead of ‘-A’, this put your logging rule at top of rules. Netfilter matches others rules and stop processing, but LOG is a non-blocking target, it’s secure to put in first place.

      Reply
    5. NAME on

      Not very flexible youre solution.

      Better try this

      nano /etc/rsyslog.d/iptables.conf

      add this:
      “:msg,contains,”** SUSPECT **” /var/log/iptables.log
      &~


      without the quotes ofc

      then

      service rsyslog restart

      done

      cheers

      Reply
    6. Rob Freeman on

      Thanks for the information here. Just wanted to let you know, there is a type on one line.

      vi /etc/syslog.conf

      This should be

      vi /etc/rsyslog.conf

      Reply

    Leave A Reply