Capturing IP tables logs

Overview

CentOS7’RHEL7 – I needed to log dropped packets form IPtables to a separate file using rsyslog, I like my logs in separate files, and then rotate them. I read several online guides and most worked but ended up with logs going to a separate file just fine, but they were still going to /var/log/messages, I did not require the double logging, I did set “& ~” in rsyslog.conf but it just didn’t work, after a bit of experimenting the following worked great.

iptables

I only needed to log dropped packets coming in, so I added the following to iptables, they are appended after the last “INPUT” lines, the format of the text “Dropped: ” is important, as it changes the way it’s filtered and displayed.

-A INPUT -j LOGGING
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "Dropped: " --log-level 4
-A LOGGING -j DROP
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT

That’s it for iptables

Create a file for the logs

 touch /var/log/iptables-drop

rsyslog changes

I created a new conf file under /etc/rsyslog.d/ called iptables-drop.conf, if you have quite a few conf here you may want to give the file a numerical ID as well. Also check that the rsyslog.conf file has the line $IncludeConfig /etc/rsyslog.d/*.conf uncommented, it usually is by default though.

I then added to iptables-drop.conf, note, that many of the guides use “& ~” but this is deprecated and will tell you so in logs, so use “& stop“.

:msg, contains, "Dropped: "        -/var/log/iptables-drop
& stop

Restart services

Now restart rsyslogd and iptables and you should be good to go. You can check by using tail and sending some rogue traffic

tail -f /var/log/iptables-drop

Rotate logs

All I did for this was add it to /etc/logrotate.d/syslog

/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
/var/log/daemon.log
/var/log/kern.log
/var/log/iptables-drop
{
    missingok
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

Notes

I first added the lines in iptables-drop.conf to the main rsyslog.conf, but it didn’t seem to work well, could be an ordering issue, but the correct ways is to use rsyslog.d so that is the way to go.

I also tried the often recommended “:msg, startswith …. ” but that did not work well for me, changing “startswith” to “contains” got it all working great.

There is another easier way of doing all of this as well, if you don’t require a separate log you can use journald to do much of the heavy lifting, all you need to do is add the lines to iptables and you are good to go, no rsyslog configuration required at all. To view them just use the following.

journalctl -k
journalctl -k -f

 

About hedscratchers

A UK ex-pat now living in the USA.
This entry was posted in Uncategorized and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s