# Iptables / syslog-ng --> logging to another file

## freeballer

I might have missed this doc here @ gentoo.org but I would like my iptables to log the information to syslog-ng on another file (eg. iptables)

I know this has to be configured in syslog but I cannot find info on exactly howto do it with iptables...

I need a little help

Thanks for your time

Geoff

----------

## spudicus

Configure iptables log with the following example message:

```
iptables -A INPUT -j LOG --log-prefix "Iptables: "
```

Configure syslog-ng to match and log the above message:

```
destination d_fwall { file("/var/log/firewall.log"); };

filter f_fwall {

        match("Iptables:");

};

log { source(src); filter(f_fwall); destination(d_fwall); };
```

Note: The iptables matches will still get logged to /var/log/{messages,syslog}, but also to there own file. If this behaviour is undesirable you could do something like:

```
filter f_nofwall {

        not match("Iptables:");

};

log { source(src); filter(f_messages); filter(f_nofwall); destination(messages); };
```

----------

## 029ah

I guess it's better to use ulogd daemon and ULOG action, like:

 	iptables -A INPUT -p TCP --dport 22 -j ULOG

----------

## affinity

 *spudicus wrote:*   

> Note: The iptables matches will still get logged to /var/log/{messages,syslog}, but also to there own file. If this behaviour is undesirable you could do something like:
> 
> ```
> filter f_nofwall {
> 
> ...

 

or you could do something like:

```
log { source(src); filter(f_fwall); destination(d_fwall); flags(final); };
```

You could also just match something like IN= instead of adding log-prefix.

----------

## freeballer

thanks all for the replies,

seems to be working fine now

----------

## iGMAS

I can't get the code to work as I want. it logs iptables stuff to /var/log/firewall.log, but it also logs it to syslog.log  :Sad: 

```
# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo,v 1.3 2003/05/12 22:43:48 msterret Exp $

#

# Syslog-ng default configuration file for Gentoo Linux

# contributed by Michael Sterrett

options {

        long_hostnames(off);

        sync(0);

        # The default action of syslog-ng 1.6.0 is to log a STATS line

        # to the file every 10 minutes.  That's pretty ugly after a while.

        # Change it to every 12 hours so you get a nice daily update of

        # how many messages syslog-ng missed (0).

        stats(43200);

};

source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };

destination messages { file("/var/log/messages"); };

# By default messages are logged to tty12...

destination console_all { file("/dev/tty12"); };

# ...if you intend to use /dev/console for programs like xconsole

# you can comment out the destination line above that references /dev/tty12

# and uncomment the line below.

#destination console_all { file("/dev/console"); };

destination d_fwall { file("/var/log/firewall.log"); };

filter f_fwall {

        match("Iptables:");

};

filter f_nofwall {

        not match("Iptables:");

};

log { source(src); filter(f_fwall); filter(f_nofwall); destination(messages); };

log { source(src); filter(f_fwall); destination(d_fwall); };

log { source(src); filter(f_fwall); destination(d_fwall); flags(final); };

```

----------

## affinity

syslog.log?

btw, you're supposed to do it like this:

```
# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo,v 1.3 2003/05/12 22:43:48 msterret Exp $

#

# Syslog-ng default configuration file for Gentoo Linux

# contributed by Michael Sterrett

options {

        long_hostnames(off);

        sync(0);

        # The default action of syslog-ng 1.6.0 is to log a STATS line

        # to the file every 10 minutes.  That's pretty ugly after a while.

        # Change it to every 12 hours so you get a nice daily update of

        # how many messages syslog-ng missed (0).

        stats(43200);

};

source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };

destination messages { file("/var/log/messages"); };

# By default messages are logged to tty12...

destination console_all { file("/dev/tty12"); };

# ...if you intend to use /dev/console for programs like xconsole

# you can comment out the destination line above that references /dev/tty12

# and uncomment the line below.

#destination console_all { file("/dev/console"); };

destination d_fwall { file("/var/log/firewall.log"); };

filter f_fwall {

        match("Iptables:");

};

log { source(src); filter(f_fwall); destination(d_fwall); flags(final); };

log { source(src); destination(messages); };
```

or like this:

```
# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo,v 1.3 2003/05/12 22:43:48 msterret Exp $

#

# Syslog-ng default configuration file for Gentoo Linux

# contributed by Michael Sterrett

options {

        long_hostnames(off);

        sync(0);

        # The default action of syslog-ng 1.6.0 is to log a STATS line

        # to the file every 10 minutes.  That's pretty ugly after a while.

        # Change it to every 12 hours so you get a nice daily update of

        # how many messages syslog-ng missed (0).

        stats(43200);

};

source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };

destination messages { file("/var/log/messages"); };

# By default messages are logged to tty12...

destination console_all { file("/dev/tty12"); };

# ...if you intend to use /dev/console for programs like xconsole

# you can comment out the destination line above that references /dev/tty12

# and uncomment the line below.

#destination console_all { file("/dev/console"); };

destination d_fwall { file("/var/log/firewall.log"); };

filter f_fwall {

        match("Iptables:");

}; 

filter f_nofwall { 

        not match("Iptables:");

};

log { source(src); filter(f_nofwall); destination(messages); };

log { source(src); filter(f_fwall); destination(d_fwall); };
```

----------

## iGMAS

syslog-ng still writes iptables: to the /var/log/syslog and the syslog don't change to a new log and zips the log from yesterday anymore

----------

## spudicus

You need to filter out logging to the syslog and messages logfiles:

```

filter f_crap {

    not match("]: STATS: dropped 0$")

    or not match("(iptables|Iptables)");

};

log { source(src); filter(f_messages); filter(f_crap); destination(messages); };

log { source(src); filter(f_syslog); filter(f_crap); destination(syslog); };
```

    This filters out the iptables and some syslog-ng redundancy. As posted previously, you can match on the "IN=" expression of iptables rule match. I choose to specify the logging prefix explicitly to "iptables", just in case something else matches "IN=".

Since this post was posted, I've take 029ah's advice and installed ulogd. The relevant ulog module needs to be compiled in for it to work but it automatically logs to ulogd.syslogemu, and considering it's designed for iptables logging, I assumed it was the better option to take (note: you still need to stop the iptables logging from going to syslog/messages logfiles).

    There is a certain amount of redundancy between the syslog and messages (and other) logfiles that would almost indicate they could be combined into the one entry, however, other programs may depend on either file, and therefore I live with this redundancy.

    In regards to your logrotation. Is 

```
/etc/init.d/syslog-ng reload
```

 working OK? Has anything changed in /etc/logrotate.d/syslog-ng?

----------

## iGMAS

```
/var/log/messages {

    sharedscripts

    postrotate

        /etc/init.d/syslog-ng reload > /dev/null 2>&1 || true

    endscript

}

```

But when I try to test execute the logrotate I get this error msg:

```
/etc/logrotate.d/syslog-ng: line 7: /var/log/messages: Permission denied

/etc/logrotate.d/syslog-ng: line 8: sharedscripts: command not found

/etc/logrotate.d/syslog-ng: line 9: postrotate: command not found

/etc/logrotate.d/syslog-ng: line 11: endscript: command not found

/etc/logrotate.d/syslog-ng: line 12: syntax error near unexpected token `}'

/etc/logrotate.d/syslog-ng: line 12: `}'

```

----------

## spudicus

You don't run /etc/logrotate.d/syslog-ng directly. It's there to be used by logrotate.

How do you usually rotate your logs? Using logrotate?

Has anything changed in /etc/logrotate.conf?

Have your cron jobs changed in anyway?

It may be worth posting your entire syslog-ng.conf file, in case it's responsible.

----------

## iGMAS

syslog-ng conf:

```
# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gen$

#

# Syslog-ng default configuration file for Gentoo Linux

# contributed by Michael Sterrett

options {

        long_hostnames(off);

        sync(0);

        # The default action of syslog-ng 1.6.0 is to log a STATS line

        # to the file every 10 minutes.  That's pretty ugly after a while.

        # Change it to every 12 hours so you get a nice daily update of

        # how many messages syslog-ng missed (0).

        stats(43200);

};

source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };

destination messages { file("/var/log/messages"); };

# By default messages are logged to tty12...

destination console_all { file("/dev/tty12"); };

# ...if you intend to use /dev/console for programs like xconsole

# you can comment out the destination line above that references /dev/tty12

# and uncomment the line below.

#destination console_all { file("/dev/console"); };

destination d_fwall { file("/var/log/firewall.log"); };

filter f_fwall {

        match("Iptables:");

};

log { source(src); filter(f_fwall); destination(d_fwall); flags(final); };

log { source(src); destination(messages); };

filter f_crap {

    not match("]: STATS: dropped 0$")

    or not match("(iptables|Iptables)");

};

log { source(src); filter(f_messages); filter(f_crap); destination(messages); };

log { source(src); filter(f_syslog); filter(f_crap); destination(syslog); };
```

/etc/logrotate.conf <-- I don't have that

And how i usually logrotate my logs is I don't know it has worked before but after I started with the iptables logging it broke somehow   :Sad: 

----------

## spudicus

Firstly I'd change syslog-ng.conf slightly to:

```
# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gen$

#

# Syslog-ng default configuration file for Gentoo Linux

# contributed by Michael Sterrett

options {

        long_hostnames(off);

        sync(0);

        # The default action of syslog-ng 1.6.0 is to log a STATS line

        # to the file every 10 minutes.  That's pretty ugly after a while.

        # Change it to every 12 hours so you get a nice daily update of

        # how many messages syslog-ng missed (0).

        stats(43200);

};

source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };

destination messages { file("/var/log/messages"); };

destination messages { file("/var/log/syslog"); };

# By default messages are logged to tty12...

destination console_all { file("/dev/tty12"); };

# ...if you intend to use /dev/console for programs like xconsole

# you can comment out the destination line above that references /dev/tty12

# and uncomment the line below.

#destination console_all { file("/dev/console"); };

destination d_fwall { file("/var/log/firewall.log"); };

filter f_fwall {

        match("Iptables:");

};

log { source(src); filter(f_fwall); destination(d_fwall); };

filter f_crap {

    not match("]: STATS: dropped 0$")

    or not match("(iptables|Iptables)");

};

log { source(src); filter(f_messages); filter(f_crap); destination(messages); };

log { source(src); filter(f_syslog); filter(f_crap); destination(syslog); };
```

I've added an entry that specifies the destination to log syslog to i.e. /var/log/syslog. Also I've removed the flags(final); entry. As affinity stated you either use flags(final) or filter out unwanted junk. I also removed the extra log line that was logging to /var/log/message. You can see here a more comprehensive syslog-ng.conf.

 *iGMAS wrote:*   

> /etc/logrotate.conf <-- I don't have that
> 
> And how i usually logrotate my logs is I don't know it has worked before but after I started with the iptables logging it broke somehow  

 I don't know how the above rules are breaking log rotation. Usually to get syslog-ng to rotate logs you need to specify a logfile with a date as outlined here. However you can emerge logrotate, which will add /etc/logrotate.conf. This can then be altered to suit your needs. This page here could help set that up.

----------

