Wednesday, July 27, 2011

How to log iptables on a separate file or directory in linux (debian 6.0)

Is it a pain when you are viewing your iptables logs from you system logs (syslog/messages/kernel)?

The solutions for this is to put your iptables logs to a different file.

In Debian 6.0, you can do this by using rsyslog. (If you don't have it in your server, you can install it by using apt-get. "apt-get install rsyslog")

Here are the steps:

1. You need to create a configuration file for iptables. Go to the rsyslog directory.
$cd /etc/rsyslog.d
$nano iptables.conf

2. Inside your configuration file you need to add the following. Just modify the part inside the double quote to your needs. This are the prefix that you'll be using in your iptables rules.
:msg, contains, "luifirewall:ssh trusted " /var/log/iptables/ssh_trusted.log
:msg, contains, "luifirewall:ssh illegal " /var/log/iptables/ssh_illegal.log
& ~

3. Take note of the prefix that you used above. In your iptables rules, add it in your logging rules.
$IPTABLES -A ssh-in -j LOG --log-prefix "luifirewall:ssh_trusted: "

4. Don't forget to add your log file to the lograte service. You don't want this log to eat up your space right? To do this, follow the steps below.

a. Go to the logrotate directory and create a logrotate function.
$cd /etc/logrotate.d
$nano iptables

b. Insert the following.
/var/log/iptables/*.log {
rotate 6
create 640 root adm

5. You're done! Have fun!

No comments:

Post a Comment