# Syslog-ng Separate IPTables Log [SOLVED]

## rldawson

For quite some time now I have been trying to get syslog-ng to generate/use a separate log file for iptables. It would seem that the sources that I have looked at via Google do not help and I am now lost. Syslog-ng will not generate a log file, but the "iptables:" filter does seem to work and is placed in kern.log. I can only assume that I am missing something, or  syslog-ng is faulty somehow. 

This is the current state of my syslog-ng.conf file:

```
options {

   chain_hostnames(no);

   stats_freq(43200);

};

source src {

    unix-stream("/dev/log");

    internal();

};

source kernsrc {

    file("/proc/kmsg");

};

destination firewall { file("/var/log/firewall.log"); };

destination authlog { file("/var/log/auth.log"); };

destination _syslog { file("/var/log/syslog"); };

destination cron { file("/var/log/cron.log"); };

destination daemon { file("/var/log/daemon.log"); };

destination kern { file("/var/log/kern.log"); file("/dev/tty12"); };

destination lpr { file("/var/log/lpr.log"); };

destination user { file("/var/log/user.log"); };

destination uucp { file("/var/log/uucp.log"); };

#destination ppp { file("/var/log/ppp.log"); };

destination mail { file("/var/log/mail.log"); };

destination avc { file("/var/log/avc.log"); };

destination audit { file("/var/log/audit.log"); };

destination pax { file("/var/log/pax.log"); };

destination grsec { file("/var/log/grsec.log"); };

destination mailinfo { file("/var/log/mail.info"); };

destination mailwarn { file("/var/log/mail.warn"); };

destination mailerr { file("/var/log/mail.err"); };

destination newscrit { file("/var/log/news/news.crit"); };

destination newserr { file("/var/log/news/news.err"); };

destination newsnotice { file("/var/log/news/news.notice"); };

destination debug { file("/var/log/debug"); };

destination messages { file("/var/log/messages"); };

destination console { usertty("root"); };

destination console_all { file("/dev/tty12"); };

#destination loghost { udp("loghost" port(999)); };

destination xconsole { pipe("/dev/xconsole"); };

filter f_auth { facility(auth); };

filter f_authpriv { facility(auth, authpriv); };

filter f_syslog { not facility(authpriv, mail); };

filter f_cron { facility(cron); };

filter f_daemon { facility(daemon); };

filter f_firewall { match("^iptables: " value("MESSAGE")); };

filter f_kern { facility(kern) and not filter(f_firewall);};

#filter f_kern { facility(kern); };

filter f_lpr { facility(lpr); };

filter f_mail { facility(mail); };

filter f_user { facility(user); };

filter f_uucp { facility(uucp); };

#filter f_ppp { facility(ppp); };

filter f_news { facility(news); };

filter f_debug { not facility(auth, authpriv, news, mail); };

filter f_messages { level(info..warn)

   and not facility(auth, authpriv, mail, news); };

filter f_emergency { level(emerg); };

filter f_info { level(info); };

filter f_notice { level(notice); };

filter f_warn { level(warn); };

filter f_crit { level(crit); };

filter f_err { level(err); };

filter f_avc { message(".*avc: .*"); };

filter f_audit { message("^(\\[.*\..*\] |)audit.*") and not message(".*avc: .*"); };

filter f_pax { message("^(\\[.*\..*\] |)PAX:.*"); };

filter f_grsec { message("^(\\[.*\..*\] |)grsec:.*"); };

log { source(kernsrc); filter(f_firewall); destination(firewall); };

log { source(src); filter(f_authpriv); destination(authlog); };

log { source(src); filter(f_syslog); destination(_syslog); };

log { source(src); filter(f_cron); destination(cron); };

log { source(src); filter(f_daemon); destination(daemon); };

log { source(kernsrc); filter(f_kern); destination(kern); };

log { source(src); filter(f_lpr); destination(lpr); };

log { source(src); filter(f_mail); destination(mail); };

log { source(src); filter(f_user); destination(user); };

log { source(src); filter(f_uucp); destination(uucp); };

log { source(kernsrc); filter(f_pax); destination(pax); };

log { source(kernsrc); filter(f_grsec); destination(grsec); };

log { source(kernsrc); filter(f_audit); destination(audit); };

log { source(kernsrc); filter(f_avc); destination(avc); };

log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };

log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };

log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };

log { source(src); filter(f_news); filter(f_crit); destination(newscrit); };

log { source(src); filter(f_news); filter(f_err); destination(newserr); };

log { source(src); filter(f_news); filter(f_notice); destination(newsnotice); };

log { source(src); filter(f_debug); destination(debug); };

log { source(src); filter(f_messages); destination(messages); };

log { source(src); filter(f_emergency); destination(console); };

#log { source(src); filter(f_ppp); destination(ppp); };

log { source(src); destination(console_all); };
```

Last edited by rldawson on Wed Jun 22, 2011 1:36 pm; edited 1 time in total

----------

## andrewthomas

Here are the lines I use to log iptables to a separate log file and exclude them from /var/log/messages

```
destination iptables { file("/var/log/iptables"); };

filter f_iptables { facility(kern) and match("IN=" value("MESSAGE")) and match("OUT=" value("MESSAGE")); };

filter f_messages { not facility(auth, authpriv, kern) and not filter(f_iptables); };

log { source(kernsrc); filter(f_iptables); destination(iptables); };
```

----------

## rldawson

Thank-you so much. That worked very well.  :Smile: 

----------

## andrewthomas

You are welcome.

Glad to be of help.

----------

## Tiberian

This is what I do:

```

iptables -A OUTPUT -j LOG --log-prefix firewall:

ip6tables -A OUTPUT -j LOG --log-prefix firewall6:

iptables -A INPUT -j LOG --log-prefix firewall:

ip6tables -A INPUT -j LOG --log-prefix firewall6:

$iptables -A INPUT -p tcp --dport ! 135 -j LOG --log-prefix firewall:

$iptables -A INPUT -i ! ppp0 -j LOG --log-prefix firewall:

iptables -A FORWARD -j LOG --log-prefix firewall:

ip6tables -A FORWARD -j LOG --log-prefix firewall6:

```

which puts a prefix in every line, that iptables puts out.

```

filter f_firewall { match(".*firewall:.*") or match(".*firewall6:.*"); };

```

filters it out[/quote]

----------

