iptables logging to diferent file via syslog-ng

Question

I have the following configuration in my iptables and syslog files:

IPTABLES

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 222 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT

-A INPUT -j DROP

-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

SYSLOG-NG

destination d_iptables { file("/var/log/iptables/iptables.log"); };

filter f_iptables { facility(kern) and match("IN=" value("MESSAGE")) and match("OUT=" value("MESSAGE")); };

filter f_messages { level(info,notice,warn) and
                    not facility(auth,authpriv,cron,daemon,mail,news) and not 
filter(f_iptables); };

log { source(s_src); filter(f_iptables); destination(d_iptables); };`

I restart syslog-ng and the log is not written.

What is the value of `s_src` and why don't you match on "iptables denied:" instead? — Mark Wagner, Apr 06 '12 at 22:45
filter f_iptables { level(debug) and match("IN=" value("iptables denied")) and match("OUT=" value("iptables denied")); }; — rahrahruby, Apr 09 '12 at 15:18
source s_src { unix-dgram("/dev/log"); internal(); file("/proc/kmsg" program_override("kernel")); — rahrahruby, Apr 09 '12 at 15:19

score 3 · Answer 1 · edited Mar 11 '15 at 04:25

Ok, after a lot of pain I finally got it working, here is the final config, I hope it helps someone.

iptables

    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :LOGNDROP - [0:0]
    :OUTPUT ACCEPT [63:18352]
    -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
    -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
    -A INPUT -p tcp -m tcp --dport 222 -j ACCEPT 
    -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT 
    -A INPUT -s 85.25.146.0/24 -j DROP 
    -A INPUT -j DROP

syslog.confg

destination d_iptables { file("/var/log/iptables.log"); };
filter f_iptables { match("iptables denied" value("MESSAGE")); };
filter f_debug { level(debug) and not facility(auth, authpriv, news, mail) and not filter(f_iptables); };
#       not facility(auth,authpriv,cron,daemon,mail,news) and not filter(f_iptables); };
filter f_kern { facility(kern) and not filter(f_iptables); };
log { source(s_src); filter(f_iptables); destination(d_iptables); };

Great, if this is the correct solution to your question, please mark it as "accepted" when you are able. — jscott, Apr 27 '12 at 00:06

score 2 · Accepted Answer · answered Apr 13 '12 at 08:47

2

Your syslog-ng config appears fine to me but your iptables config isn't. The -j LOG line appears after a line that DROPs everything, hence it will never be reached.

You should move the LOG line to directly before whatever event you want to log. If you want to log everything, put it first. If you want to log everything that isn't ACCEPTed, put it after all the ACCEPTs.

answered Apr 13 '12 at 08:47

Ladadadada

25,847
7
57
90

I moved the logging up as suggested Chain INPUT (policy ACCEPT) target prot opt source destination LOG all -- anywhere anywhere limit: RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT tcp -- anywhere anywhere tcp dpt:222 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql DROP all -- static-ip-85-25-146-0.inaddr.ip-pool.com/24 anywhere DROP all -- anywhere anywhere – rahrahruby Apr 26 '12 at 22:22
and mofified the filter as follows hoping to capture all logging filter f_iptables { level(debug); }; and still get no output to my iptables.log – rahrahruby Apr 26 '12 at 22:23

iptables logging to diferent file via syslog-ng

2 Answers2