Overview
CentOS7’RHEL7 – I needed to log dropped packets form IPtables to a separate file using rsyslog, I like my logs in separate files, and then rotate them. I read several online guides and most worked but ended up with logs going to a separate file just fine, but they were still going to /var/log/messages, I did not require the double logging, I did set “& ~” in rsyslog.conf but it just didn’t work, after a bit of experimenting the following worked great.
iptables
I only needed to log dropped packets coming in, so I added the following to iptables, they are appended after the last “INPUT” lines, the format of the text “Dropped: ” is important, as it changes the way it’s filtered and displayed.
-A INPUT -j LOGGING -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "Dropped: " --log-level 4 -A LOGGING -j DROP -A OUTPUT -m state --state ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT
That’s it for iptables
Create a file for the logs
touch /var/log/iptables-drop
rsyslog changes
I created a new conf file under /etc/rsyslog.d/ called iptables-drop.conf, if you have quite a few conf here you may want to give the file a numerical ID as well. Also check that the rsyslog.conf file has the line $IncludeConfig /etc/rsyslog.d/*.conf uncommented, it usually is by default though.
I then added to iptables-drop.conf, note, that many of the guides use “& ~” but this is deprecated and will tell you so in logs, so use “& stop“.
:msg, contains, "Dropped: " -/var/log/iptables-drop & stop
Restart services
Now restart rsyslogd and iptables and you should be good to go. You can check by using tail and sending some rogue traffic
tail -f /var/log/iptables-drop
Rotate logs
All I did for this was add it to /etc/logrotate.d/syslog
/var/log/cron /var/log/maillog /var/log/messages /var/log/secure /var/log/spooler /var/log/daemon.log /var/log/kern.log /var/log/iptables-drop { missingok sharedscripts postrotate /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true endscript }
Notes
I first added the lines in iptables-drop.conf to the main rsyslog.conf, but it didn’t seem to work well, could be an ordering issue, but the correct ways is to use rsyslog.d so that is the way to go.
I also tried the often recommended “:msg, startswith …. ” but that did not work well for me, changing “startswith” to “contains” got it all working great.
There is another easier way of doing all of this as well, if you don’t require a separate log you can use journald to do much of the heavy lifting, all you need to do is add the lines to iptables and you are good to go, no rsyslog configuration required at all. To view them just use the following.
journalctl -k journalctl -k -f