# [SOLVED] syslog-ng filters and iptables.

## cibonato

Well, I'm trying to log iptables messages to a separate file. 

I set syslog-ng this way:

```

options {

        chain_hostnames(no);

        # The default action of syslog-ng is to log a STATS line

        # to the file every 10 minutes.  That's pretty ugly after a while.

        # Change it to every 12 hours so you get a nice daily update of

        # how many messages syslog-ng missed (0).

        stats_freq(43200);

};

source src {

    unix-stream("/dev/log" max-connections(256));

    internal();

    file("/proc/kmsg");

};

destination messages { file("/var/log/messages"); };

destination iptables { file("/var/log/iptables.log"); };

destination console_all { file("/dev/tty12"); };

filter f_iptables { match("^IPTABLES" value("MESSAGE")); };

filter f_messages { not filter(f_iptables); };

log { source(src); filter(f_iptables); destination(iptables); };

log { source(src); filter(f_messages); destination(messages); };

log { source(src); destination(console_all); };

```

On the other hand, the prefixes iptables is set to use are "SSH IN: ", "IPTABLES BLOCK: ", "IPTABLES INVALID (ppp0): " and "IPTABLES INVALID (eth1): ". Right now, what I want to is to put all the messages beginning with IPTABLES in a new file.

Using the filters I paste above it is not working. The file /var/log/iptables.log is not even created and /var/log/message receives all IPTABLES messages.

Suggestions?

Greetings.

----------

## erik258

What you have seems more or less right, but there must be some small flaw.  

Since its failing to both spawn a separate logfile, and also failing to filter these messages from the main logfile, it seems logical to assume that the filter you've written is failing to match anything.  Looking into it, you're using the "match( regexp value($MACRO) )" syntax described in the syslog-ng manpage (see below).  The only $MACRO values I can find in the manpage are MSG and MSGHDR.  I don't see a mention of the macro you're supplying, MESSAGES.  But looking a little farther into it, I find that a match on the MSG section of log messages is the equivalent of the message(regexp) filter.  So I think there's two possible reasons this isn't working for you: 1) that the MESSAGES macro is indeed incorrect as I've suggested here, and that you should use MSG instead, or better yet, the message filter:

```
filter f_iptables { message("^IPTABLES"); };
```

Or 2) that IPTABLES is actually in the message header.  In which case you'd probably want to simplify that filter line down to something like:

```
filter f_iptables { match("^IPTABLES"); };
```

I learned all this from the man pages on syslog-ng.conf.  Try `man syslog-ng.conf` and `man syslog-ng` to dig deeper for yourself.  The manpages are invaluable resources, and many common system daemons like syslog-ng also provide manpages for their configuration files, which are incredibly helpful in circumstances such as this.   

If you have further problems, I recommend looking at the syslog-ng man page (man syslog-ng) to discover how to use the -d option to run syslog-ng in debugging mode.  That might help you get an error from syslog that can point you in the right direction.  Finally, this appears to be the definitive syslog-ng 3.0 admin guide, as referenced by the syslog-ng.conf man page (man syslog-ng.conf):

http://www.balabit.com/support/documentation/documents/syslog-ng-v3.0-guide-admin-en.html/bk01-toc.html

Let the forums know if it helps!

----------

## Anon-E-moose

for me (the relevant lines from syslog conf)

destination iptables { file("/var/log/firewall" perm(0640)); };

filter f_iptables { match("IPTABLES:"); };

filter f_messages { level(info..warn) and not filter (f_iptables) and not filter (f_sudo) and not filter (f_snort) and not facility(cron, mail, auth, authpriv); };

log { source(src); filter(f_iptables); destination(iptables); };

----------

## cibonato

Dear erik258, thank you very much for writing these words, but none of your suggestions solved the problem (by the way, I tried then before posting to the forum). Please believe me, I also checked the manpages and syslog-ng Admin Guide.

For example, if you check section 3.6 of this guide you'll see they suggest using MESSAGE macro instead of MSG macro:

```
filter demo_filter { host("example") and match("deny" value("MESSAGE")); };
```

You're correct there's no MESSAGE macro in syslog-ng.conf manpage, but using MESSAGE or MSG does not change the results. I mean, I don't get iptables messages in a different file. In both cases syslog-ng does not complain about syntax problems, so it does not seem wrong suppose both syntaxes are correct.

On the other hand, if I use this filter:

```
filter f_iptables { message("^IPTABLES"); };
```

I still don't get what I want, and using that one:

```
filter f_iptables { match("^IPTABLES"); };
```

Makes the system give a warning regarding deprecated options:

```
WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please update your configuration;
```

Here goes a typical message iptables is logging to /var/log/messages; it makes me suppose trying to match "^IPTABLES" regex is correct.

```
Apr 24 14:23:46 localhost kernel: [81644.840270] IPTABLES BLOCK: IN=ppp0 OUT= MAC= SRC=aaa.bbb.ccc.ddd DST=xxx.yyy.zzz.ttt LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=12886 DF PROTO=TCP SPT=3615 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
```

So let's keep trying to solve this issue. Thank you again very much for your time, once a I get this solved I'll update this post.

Greetings.

----------

## cibonato

It's solved... the suggestion Anon-E-moose gave did the trick. It seems is mandatory to set the filter based upon the log level. I did some changes to what was posted in this thread and this is what I have now:

```
options {

        chain_hostnames(no);

        stats_freq(43200);

};

source src {

    unix-stream("/dev/log" max-connections(256));

    internal();

    file("/proc/kmsg");

};

destination messages { file("/var/log/messages"); };

destination iptables { file("/var/log/iptables.log"); };

destination console_all { file("/dev/tty12"); };

filter f_iptables { match("IPTABLES" value("MESSAGE")); };

filter f_messages { (level(info..warn) and not filter (f_iptables)); };                                                               

log { source(src); filter(f_iptables); destination(iptables); };

log { source(src); filter(f_messages); destination(messages); };

log { source(src); destination(console_all); };
```

Everything is working as expected and I'm pretty happy! Thank very much all of you guys.

----------

