# iptables log file

## chimpsky

I would like to move the logs from my iptables to a file of my choosing, currently they are all going to: /var/log/messages. I am using syslog-ng and i assume i have to edit: /etc/syslog-ng/syslog-ng.conf in order to do this, however, im pretty new to linux and gentoo, and have no idea about how to do this. Any suggestions would be very helpful, thanks

----------

## fleed

You need to add a filter and a destination for iptables (like this):

```
destination d_iptables  {file("/var/log/iptables/iptables.log"); };

filter f_iptables { match("\[DROPPED\]"); };

log { source(src_kern); filter(f_iptables); destination(d_iptables);};

```

That takes care of putting your iptables stuff in /var/log/iptables/iptables.log.

If you want to avoid seeing those message in your /var/log/messages file then you have to add a filter to cut them from the logs and add that filter to your definition of /var/log/messages 

```

filter f_notiptables { not match("\[DROPPED\]"); };

log { source(src); source(src_kern); filter(f_notiptables); destination(messages); };
```

Edit: Fixed typo above.Last edited by fleed on Thu Jan 15, 2004 4:11 pm; edited 1 time in total

----------

## chimpsky

thanks

----------

## chimpsky

actually im now having problems, when ever i try to run any iptables command i get the error:

modprobe: Can't locate module ip_tables

iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

when i set up iptables in make menuconfig i didnt  setup anything to be a module if that helps answer this problem, but i dont know how to go about fixing this.

----------

## Decibels

Ya in menuconfig you will see 'IP tables support (required for filtering/Masq/NAT)' in 'Networking options/IP: Netfilter Configuration'

You can compile as module or in the kernel, I have it in kernel.

Plus you have userland iptables you have emerge also:

```
*  net-firewall/iptables

      Latest version available: 1.2.8-r1

      Latest version installed: 1.2.8-r1

      Size of downloaded files: 122 kB

      Homepage:    http://www.iptables.org/

      Description: Kernel 2.4 firewall, NAT and packet mangling tools
```

----------

## chimpsky

Actually, ignore what i said about the modprobe error. My problem is that after adding the lines of code to my syslog-ng.conf that fleed has suggested I get errors durring the boot sequence saying that syslog-ng, iptables, and vixie-cron have all failed to start. I dont know why this is I double checked all spelling in the code, if I take those lines out of the syslog-ng file everything works fine however my logs are still getting sent to messages. Any suggestions on how to make this work would be very helpful, thanks

----------

## Decibels

recopy the:

```
log { source(src); source(src_kern); filter(f_notiptables); destination(messages); };
```

typo fixed.

----------

## Decibels

Cool, started watching this post in hopes of starting to clean up my log files.

I was seeing multiple stuff in log of things, like kern.log, syslog and messages.

So made the /var/log/iptables/iptables.log and got that going, then started filtering out all the stuff from pings, drops,... from the ones mentioned above.

Working so far, going to play with it some more. Here is what have so far, that have changed: (create /var/log/iptables/iptables.log)

```
 ## SOURCES

source src { 

   unix-stream("/dev/log");

   internal(); 

   udp();

   tcp(port(5140) keep-alive(yes));

};

# Added this back by itself. In with other seems to clog up logs.

# Was in with src, but use to be on it's own like this

source kern_src { pipe("/proc/kmsg"); };

## DESTINATIONS

# Firewall

#

destination iptables  {file("/var/log/iptables/iptables.log"); };

## FILTERS

filter f_messages { level(info..warn) 

   and not facility(auth, authpriv, mail, news, cron, daemon); };

filter f_portsentry { program("portsentry") or match("(PING|INVALID|DROP)"); };

filter f_noportsentry { not program("portsentry"); };

filter f_noiptables{ not match("(PING|INVALID|DROP)"); };

## LOG STATEMENTS

log { source(src); filter(f_syslog); filter(f_noportsentry); destination(syslog); };

log { source(src); filter(f_daemon); filter(f_noportsentry); destination(daemon); };

log { source(kern_src); filter(f_kern); filter(f_noiptables); destination(kern); };

log { source(src); filter(f_messages); destination(messages); };

# Added new /var/log/iptables/iptables.log and sending there for portsentry and iptables.

log { source(kern_src); source(src); filter(f_portsentry); destination(iptables); };

```

* Needed both sources with iptables.log to get kernel messages (pings,drops,..) and to get program portsentry. 

Some rules to remember when doing the filters and logs:

```
## FILTERS

# You can create filters using the filter keyword:

# filter <filtername> { expression; };

# Where  expression  is a simple boolean expression. You can use "and",

# "or" and "not" to connect builtin functions. Functions can be one of:

# * facility(list of comma seperated facility names)

## where 'facility' is new statement optional for syslog, 'xxx' is choice of 

## 'auth', 'authpriv', 'cron', 'daemon', 'ftp', 'kern', 'lpr', 'mail', 'mark',

## 'news', 'security' (same as auth), 'syslog', 'user', 'uucp' and 'local0' through 'local7'

#

# * level(list of comma seperated priority names OR a range separated by "..")

## debug, info, notice, warn, crit, alert, emerg, err

#

# * program(regexp to match program name)

# * host(regexp to match program name)

# * match(regexp to match program name)
```

```
## LOG STATEMENTS

# You can connect sources and destinations using the log statement:

# log { source S1; source S2; ... filter F1; filter F2; ... destination D1; destination D2; ... };

# Where  Sx  refers  to  one of the declared log sources, Fx one of the filters and Dx one of the destinations.

# Filters are ANDed together
```

The last line is the thing to remember and try to do your boolean in the filters. Makes it much easier, because you get AND, OR, NOT in the filters, where as only AND in the logs.

----------

