In this tutorial I am going to show you how to customized rsyslog to log multiple iptables log (with different prefix) to different log files. This is useful if you want to look at specific iptables log and also understand how packets flow through the iptables.
- Create a new config file in the /etc/rsyslog.d/ folder. If there is a default config file in there make sure to create a config file starting with a number lower than the default config file.
- Add the following to the new configure file. (Example, I have created a conf file lower than the default 50-<filename>.conf
nano /etc/rsyslog.d/10-iptables.conf
#Log kernel generated iptables log messages to different files You need to make sure that you have the necessary –log-prefix in the iptables config.
if ($msg contains “IPTSSHNew”) then {
action(type=”omfile” file=”/var/log/iptables_ssh.log”)
& stop
} else if ($msg contains “IPTINDeny”) then {
action(type=”omfile” file=”/var/log/iptables.log”)
& stop
}
Do take note that “IPTSSHNew” and “IPTINDeny” is the custom log prefix that I have set for the logging in my iptables. So it might be different from yours.
- Make sure you add the new log file to the logrotate daemon to avoid running out of disk space with too much logs. Add the following line to the /etc/logrotate.d/rsyslog
nano /etc/logrotate.d/rsyslog
/var/log/iptables.log
/var/log/iptables_ssh.log
Restart the rsyslog service.
sudo systemctl restart rsyslog
You might need to save and restart the iptables too if you just added the config.
sudo netfilter-persistent save
sudo systemctl restart iptables