# where is iptables log files?

## bonito

I was hoping to find some sort of error log for iptables in order to better understand what is going wrong with rules I am programming into it.  I have looked all over and cannot find anything.  Where in the gentoo distribution are iptables log files stored?  If I have to make them and set the machine to write to them manually can someone explain how I would do this?

----------

## id10t

Use gShield (muse.linuxmafia.org) - really easy to setup and configure.  All of my iptables messages go to /var/log/messages

----------

## klieber

 *bonito wrote:*   

> If I have to make them and set the machine to write to them manually can someone explain how I would do this?

 

Look at syslogd and syslog.conf.  That will let you define separate log files for various apps.

--kurt

----------

## trapni

Well, exactly that's what I'd like to have for iptables and scanlogd seperately, so, could you please give me a quick'n'dirty example exact for RTFM me how such an entry would look like for syslog-ng?

iptables: /var/log/firewall/iptables

scanlogd: /var/log/firewall/scanlogd

And, btw, is it possible to split the output if iptables (by prefix of the LOG rule) into seperate log files as well?

Thanks in advance,

Christian Parpart.

----------

## klieber

Basically, you set up a "localX" log in syslog.conf where "X" is some number.  Then, in your iptables script, you use '--log-level localX' to define where the log should go.

man syslog.conf

man syslogd

are two places to start.  Also, try searching google.  It came up with this post among others.

--kurt

----------

## bonito

ok so here is what I have for my metalog addition:

Iptables :

  facility = "local1"

  minimum 7

  logdir = "/var/log/iptables"

if after that I set iptables conditions for logging under the --log-level local1 will it start logging all activity with iptables to that directory?

----------

## klieber

Eh...not sure for metalog.  I use plain old syslog.  

Anyone else here a metalog guru?

--kurt

----------

## bonito

I just installed sysklogd (syslogd?) on my system.  I removed metalog, and I can see some logging taking place in certain files.  when I use the --log-level local3 after editing the syslog.conf file it gives me the error message that local3 is an unrecognized log level.

----------

## trapni

Okay, I was googling for a while and found really something interesting for syslog-ng:

```
destination d_fw { file("/var/log/firewall"); };

filter f_fw { match("fw-"); };

log { source(kernsrc); filter(f_fw); destination(d_fw); };
```

This tiny addon in my syslog-ng.conf puts all the netfilter logged with a prefix containing "fw-" into my special log file, /var/log/firewall. That's great!

You can filter any expression from any log input device and put it into a seperate file for better analyzation  :Smile: 

Cheers,

Christian Parpart.

----------

## rajl

Having just read this post, I'm really confused.  I'm using syslogd right now, but local3 is a facility, not a log level, so my iptables script gives me errors if I try to log traffic with a "--log-level local3" as has been recommended here.

Can anyone shed light on this issue?  I really would like to be able to log my iptables data to a seperate log file.  I'm even willing to switch system loggers if someone can tell me to do it in another system logger other than plain old syslogd.

----------

