iptables to rsyslog

log all dropped connections to syslog

iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -j LOG --log-prefix "iptables: "
iptables -A LOGGING -j DROP

check that this line is in /etc/rsyslog.conf

$ModLoad imklog

after that create the file /etc/rsyslog.d/01-iptables.conf with the content:

:msg, startswith, "iptables: " -/var/log/iptables.log
& ~
:msg, regex, "^\[ *[0-9]*\.[0-9]*\] iptables: " -/var/log/iptables.log
& ~

line 1 and line 3 are filters and log file locations, if they match the log is written to the specified log file.
line 2 and 4 tell rsyslog “don’t process future rules (if the one before matches), it’s done for this log entry”

now the only thing left is to create a log rotation rule
create the file /etc/logrotate.d/iptables with this content:

/var/log/iptables.log {
	rotate 7
	daily
	missingok
	notifempty
	delaycompress
	compress
	postrotate
		invoke-rc.d rsyslog rotate > /dev/null
		iptables-save >> /var/log/iptables.log
	endscript
}

Leave a Reply

Your email address will not be published. Required fields are marked *