In this tutorial I am going to show you how to customized rsyslog to log iptables log to a different log file. This is useful if you want to look at specific iptables log and also understand how packets flow through the iptables.
- Create a new config file in the /etc/rsyslog.d/ folder. If there is a default config file in there make sure to create a config file starting with a number lower than the default config file.
- Add the following to the new configure file.
nano /etc/rsyslog.d/10-iptables.conf
#Log kernel generated iptables log messages to file
:msg,contains,”\[IPT_” /var/log/iptables.log
# Adding & stop, reduce the duplicate and only log the logs to the iptables.log file.
& stop
Do take note that “\[IPT_” is the custom log prefix that I have set for the logging in my iptables. So it might be different from yours. Also \[ is the string way of syntax \[ = [
- Make sure you add the new log file to the logrotate daemon to avoid running out of disk space with too much logs. Add the following line to the /etc/logrotate.d/rsyslog
nano /etc/logrotate.d/rsyslog
/var/log/iptables.log
Restart the rsyslog service.
systemctl restart rsyslog