# iptables syslog

## trscookie

Hello all,

I have created my some syslog rules however I am still in a bit of a pickle, I am trying to get my own iptables log file like so:

```

version: 3.2

options {

    chain_hostnames(off);

    stats_freq(43200);

    owner(root);

    perm(0640);

    dir_perm(0740);

    create_dirs(yes);

    use_fqdn(no);

    keep_hostname(yes);

    use_dns(no);

};

#source where to read log

source src { unix-stream("/dev/log"); internal(); };

# kernel messages

source kernsrc { file("/proc/kmsg"); };

# from a chrooted bind install

source namedsrc { unix-stream("/var/named/chroot/dev/log"); };

#define destinations

destination authlog { file("/var/log/authlog"); };

destination cron { file("/var/log/cronlog"); };

destination daemon { file("/var/log/daemon"); };

destination kern { file("/var/log/kernlog"); };

destination user { file("/var/log/userlog"); };

destination mail { file("/var/log/maillog"); };

destination iptables { file("/var/log/iptables"); };

destination debug { file("/var/log/debug"); };

destination messages { file("/var/log/messages"); };

destination console { usertty("root"); };

destination console_all { file("/dev/tty12"); };

filter f_auth { facility(auth); };

filter f_authpriv { facility(auth, authpriv); };

filter f_cron { facility(cron); };

filter f_daemon { facility(daemon); };

filter f_kern { facility(kern); };

filter f_mail { facility(mail); };

filter f_user { facility(user); };

filter f_debug { not facility(auth, authpriv, news, mail); };

filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news); };

filter f_emergency { level(emerg); };

filter f_info { level(info); };

filter f_notice { level(notice); };

filter f_warn { level(warn); };

filter f_crit { level(crit); };

filter f_err { level(err); };

filter f_firewall { match("iptables: " value("MESSAGE")); }; 

filter f_failed { match("regex" value("failed")); };

filter f_denied { match("regex" value("denied")); };

log { source(src); filter(f_firewall); destination(iptables); }; 

log { source(src); filter(f_authpriv); destination(authlog); };

log { source(src); filter(f_cron); destination(cron); };

log { source(src); filter(f_daemon); destination(daemon); };

log { source(kernsrc); filter(f_kern); destination(kern); };

log { source(src); filter(f_mail); destination(mail); };

log { source(src); filter(f_user); destination(user); };

log { source(src); filter(f_debug); destination(debug); };

log { source(src); filter(f_messages); destination(messages); };

log { source(src); filter(f_emergency); destination(console); };

log { source(src); destination(console_all); };

```

I have added in my iptables save file:

```

-A INPUT -j LOG --log-prefix "iptables: " 

```

however the output is dumpted in /var/log/kernlog, is there anyway that I can dump my iptables log in /var/log/iptables?

Many thanks in advance,

trscookie.

----------

## cdstealer

Hi trscookie,

Here's what I have that works for me.. hopefully it will help you.  

I have this is syslog-ng.conf

```
destination firewall { file("/var/log/firewall/firewall.log"); };

filter f_firewall_discard { match("Dropped" value(MESSAGE)) and match("SRC=0.0.0.0" value(MESSAGE)); };

filter f_firewall { program("iptables") or match("Dropped" value(MESSAGE)); };

log { source(src); filter(f_firewall_discard); flags(final); };

log { source(src); filter(f_firewall); destination(firewall); flags(final); };
```

Then I have this in my iptables script:

```
iptables -A INPUT -j LOG --log-level 6 --log-prefix "Dropped: "
```

----------

## trscookie

nice one, cheers.

----------

