Firewall logging is very important, both to detect break-in attempts and to ensure that firewall rules are working properly. Unfortunately, it’s often difficult to predict in advance which rules and what information should be logged. Consequently, it’s common practice to err on the side of verbosity. Given the amount of traffic that any machine connected to the Internet is exposed to, it’s critical that firewall logs be separated from normal logs in order to ease monitoring. What follows are two methods to accomplish this using iptables on Linux. The first method uses traditional syslog facility/priority filtering. The second, more robust method filters based on message content with rsyslog.
The Old Way: Use a Fixed Priority for iptables
The traditional UNIX syslog service only has two ways to categorize, and consequently route, messages: facility and priority. Facilities include kernel, mail, daemon, etc. Priorities include emergency, alert, warning, debug, etc. The Linux iptables firewall runs in the kernel and therefore always has the facility set to kern. Using traditional syslog software, the only way you can separate iptables messages from other kernel messages is to set the priority on all iptables messages to something specific that hopefully isn’t used for other kernel logging.
For example, you could add something like the following to /etc/syslog.conf:
kern.=debug -/var/log/iptables.log
and specifically remove the kernel debugging messages from all other logs like so:
kern.*;kern.!=debug -/var/log/kern.log
and in each iptables logging rule use the command line option --log-level debug.
There are two distinct disadvantages to this approach. First, there’s no guarantee that other kernel components won’t use the priority you’ve set iptables to log at. There’s a real possibility that useful messages will be lost in the deluge of firewall logging. Second, this approach prevents you from actually setting meaningful priorities in your firewall logs. You might not care about random machines hammering Windows networking ports, but you definitely want to know about malformed packets reaching your server.
The New Way: Filter Based on Message Content with rsyslog
rsyslog is mostly a drop-in replacement for a tradtional syslog daemon–on Linux, klogd and sysklogd. In fact, on Debian and Ubuntu, you can simply:
$ sudo apt-get install rsyslog
and if you haven’t customized /etc/syslog.conf, logging should continue to work in precisely the same way. rsyslog has been the default syslog on Red Hat/Fedora based systems for a number of versions now, but if it’s not installed:
$ sudo yum install rsyslog
Configure iptables to Use a Unique Prefix
We’ll setup rsyslog to filter based on the beginning of a message from iptables. So, for each logging rule in your firewall script, add --log-prefix "iptables: ". Most firewall builder applications can be easily configured to add a prefix to every logging rule. For example, if you’re using firehol as I am, you could add:
FIREHOL_LOG_PREFIX="firehol: "
to /etc/firehol/firehol.conf.
Configure rsyslog to Filter Based on Prefix
Create /etc/rsyslog.d/iptables.conf with the following contents:
:msg, startswith, "iptables: " -/var/log/iptables.log & ~
The first line means send all messages that start with “iptables: ” to /var/log/iptables.log. The second line means discard the messages that were matched in the previous line. The second line is of course optional, but it saves the trouble of explicitly filtering out firewall logs from subsequent syslog rules.
When I configured this on my own machines, I did notice one issue that may be a peculiarity of firehol, but it’s probably worth mentioning anyway. It seems that firehol adds an extra single quote at the beginning of log messages that needs to be matched in the rsyslog rule. For example, here’s a log message from firehol:
Apr 17 12:41:07 tick kernel: 'firehol: 'IN-internet':'IN=eth0 OUT= MAC=fe:fd:cf:c0:47:b5:00:0e:39:6f:48:00:08:00 SRC=189.137.225.191 DST=207.192.75.74 LEN=64 TOS=0x00 PREC=0x00 TTL=32 ID=5671 DF PROTO=TCP SPT=3549 DPT=5555 WINDOW=65535 RES=0x00 SYN URGP=0
Notice the extra quote after “kernel: ” and before “firehol: “. So, on my machine I configured the rsyslog filter like so:
:msg, startswith, "'firehol: " -/var/log/iptables.log & ~
Configure iptables Log Rotation
Finally, since we’re logging to a new file, it’s useful to create a log rotation rule. Create a file /etc/logrotate.d/iptables with the following contents:
/var/log/iptables.log
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
invoke-rc.d rsyslog reload > /dev/null
endscript
}
The preceding script tells logrotate to rotate the firewall log daily and keep logs from the past seven days.
Thanks for the tip, but I couldn’t actually get it to work verbatim. The log messages for me look like this:
Jul 1 10:34:57 somehost kernel: [40863.468270] ‘firehol: ‘IN-world’:…
The timestamp in brackets is part of the message and needs to be matched as well.
I got it to work using “contains” instead of “startswith”.
Another useful tip is to add
kernel.printk = 4 4 1 7
to /etc/sysctl.conf to stop the iptables messages from going to the console.
Perhaps this will be helpful for some readers.
This help file is for rsyslog not sysctl
Or you could skip rsyslog all together, and use ULOGD and the ULOG target. More flexibility this way – send the logs to a file, or a database. No issues with filtering, and you can use as many prefixes as you want without having to reconfigure rsyslog.
The advantage of rsyslog is that you’re probably already using it and you can’t really run a linux system with out some sort of syslog daemon. ulogd might make sense on a dedicated firewall, but it’s sort of ridiculous to have to run a completely separate daemon just to log iptables on a workstation.
Thanks for this nice tip. I also had the timestamp problem, so now I have added a regex rule:
:msg, startswith, “ipt: ” -/var/log/iptables.log
& ~
:msg, regex, “^\[ *[0-9]*\.[0-9]*\] ipt: ” -/var/log/iptables.log
& ~
However, the messages still also go to dmesg (the command). Would like to remove them from there as well.
Try “dmesg -n5″
The regexp caused rsyslogd to refuse to start. I found using ‘contains: ‘ instead of ‘startswith’ to work for me.
[...] to original source: http://blog.shadypixel.com/log-iptables-messages-to-a-separate-file-with-rsyslog/ Cancel [...]
You might want to add a number to the conf file in rsyslog.d and have it load before the other rules.
in example /etc/rsyslog.d/30-iptables.conf is a safe guess for basic ubuntu systems.
Hi,
Thanks for a good and helpful tutorial.
I’ve got one question I was hoping you might be able to answer. I keep getting error messages when i use filters, and I am wondering wether it can be due to a module not being loaded.
Did you load specific modules before implementing the filtering?
All of this works for getting iptables logging into a separate log file…that’s great…but it’s still, also, logging into /var/log/messages, which is what I’m trying to get cleared out.
As I’m still not horribly good with rsyslog, does anyone have an incantation for the /var/log/messages line that will clean that part up?
Note than with newer versions of rsyslog you need to use “invoke-rc.d rsyslog rotate” instead of “invoke-rc.d rsyslog reload”.
Hello,
Thanks for explanation here.
Just a remark, in case you want to redirect just IPTables to iptables.log:
# Log IPTables.
:msg, startswith, “IPTABLES_” -/var/log/iptables.log
& ~
Is all you need, without the Prefix bit :)
Be good!
hi, i’ve used iptables to create a firewall type of application that can block certain addresses in android. i use logging to keep track of rejected packets. How can i clear the contents of the log programatically.
Pleasant weblog the following! Also your site quite a lot right up quickly! Precisely what host are you the application of? Should i make your affiliate marketer website link in your host? I want this site jam-packed as quickly since your own property haha