I have this rule in my iptables:
iptables -A INPUT -s 192.168.11.0/24 -j LOG
My question is:
Where is the iptables log file, and how can I change that?
Asked
Active
Viewed 4.1e+01k times
5 Answers
94
These logs are generated by the kernel, so they go to the file that receives kernel logs: /var/log/kern.log.
If you want to redirect these logs to a different file, that can't be done through iptables. It can be done in the configuration of the program that dispatches logs: rsyslog. In the iptables rule, add a prefix that isn't used by any other kernel log:
iptables -A INPUT -s 192.168.11.0/24 -j LOG --log-prefix='[netfilter] '
Following the example set by 20-ufw.conf, create a file under /etc/rsyslog.d/00-my_iptables.conf containing:
:msg,contains,"[netfilter] " -/var/log/iptables.log
& stop
Putting the rule early (the file names in /etc/rsyslog.d are used in lexicographic order) and adding &stop causes these logs to go only to the specified location and not to the default location as well.
Rsyslog has to be restarted for the config changes to take place.
Gilles 'SO- stop being evil'
- 61,978
22
I know that's far too late and the answer is already marked as the accepted one. I just have a piece of new info to give.
The log file of the LOG action is found at either /var/log/syslog (Ubuntu and similar OSs) or /var/log/messages (CentOS and similar OSs).
joker
- 433
14
If you are in trouble finding the right file you may try like this:
find /var/log -mmin 1
This will find any file modified in the last 1 min inside the /var/log and below.
You may find out that the -j LOG may update more than just a single file.
For instance on Ubuntu 18, both the /var/log/kern.log and /var/log/syslog are impacted with netfilter logging.
prosti
- 1,095
-
2I was doing
ls /var/log/to find the log file and it didn't show until I didsudo ls /var/log/. Your answer helped me, thank you. – Yacine Rouizi Aug 15 '21 at 10:34 -
You may also use the
-tswitch of thelscommand to get the most recently modified files at the top of thelslist. Example:ls -lat /var/log– Jimmix Sep 18 '22 at 17:39
2
# on my computer ! # i wrote at the top of the script iptables -F iptables -X # iptables -A INPUT -m state --state NEW -j LOG \ --log-prefix='[iptables_input] ' iptables -A OUTPUT -m state --state NEW -j LOG \ --log-prefix='[iptables_output] ' # and found the results in /var/log/syslog # the LOG instruction are executed only when other iptables instructions # are not registered before
visitor
- 29
-
7Welcome to Ask Ubuntu. A script without any instructions and explanations is not a good answer. – user68186 Sep 27 '20 at 16:17
iptables.log, the point of my answer is to show you how to create it. You may not have/var/log/kern.logif you're running a different version of Ubuntu (I think recent versions no longer use this file and put kernel logs in/var/log/sysloginstead), but it doesn't matter. Oh, but if you're running an older version of Ubuntu, you may need to install thersyslogpackage. – Gilles 'SO- stop being evil' Sep 21 '13 at 19:50& stopcommand as well. That way you avoid duplicates in thekern.logfile, duplicates that could imper your ability to see other important kernel logs. – Alexis Wilke Oct 21 '16 at 20:08/var/log/messageson RH flavors. Thanks for the tips, i needed it! – Brian Thomas Nov 06 '18 at 19:21& ~part needs to go on the new line. Here's a full example that worked for me: https://superuser.com/questions/1269643/why-does-mean-discard-the-messages-that-were-matched-in-the-previous-line – ᴍᴇʜᴏᴠ Oct 03 '19 at 13:23