Comments on: Log iptables Messages to a Separate File with rsyslog

By: btmorex

btmorex — Sun, 08 Nov 2009 21:14:35 +0000

The advantage of rsyslog is that you’re probably already using it and you can’t really run a linux system with out some sort of syslog daemon. ulogd might make sense on a dedicated firewall, but it’s sort of ridiculous to have to run a completely separate daemon just to log iptables on a workstation.

By: Anonymous

Anonymous — Sun, 08 Nov 2009 17:42:24 +0000

Or you could skip rsyslog all together, and use ULOGD and the ULOG target. More flexibility this way – send the logs to a file, or a database. No issues with filtering, and you can use as many prefixes as you want without having to reconfigure rsyslog.

By: Anonymous

Anonymous — Sat, 24 Oct 2009 12:53:25 +0000

This help file is for rsyslog not sysctl

By: Peter Eisentraut

Peter Eisentraut — Wed, 01 Jul 2009 07:39:49 +0000

Thanks for the tip, but I couldn’t actually get it to work verbatim. The log messages for me look like this:

Jul 1 10:34:57 somehost kernel: [40863.468270] ‘firehol: ‘IN-world’:…

The timestamp in brackets is part of the message and needs to be matched as well.

I got it to work using “contains” instead of “startswith”.

Another useful tip is to add

kernel.printk = 4 4 1 7

to /etc/sysctl.conf to stop the iptables messages from going to the console.

Perhaps this will be helpful for some readers.