Iptables is the userspace command line program used to configure the Linux 2.4.x and later packet filtering ruleset by netfilter. In a lot of our Iptables configs we'll often setup a LOG directive to monitor some of the rules being hit. This helps for testing/confirming a rule or so we can monitor and report on the rules.
-N LOG_AND_DROP -A LOG_AND_DROP -j LOG --log-prefix "[iptables] - denied (ipset): " -A LOG_AND_DROP -j DROP -A INPUT -m set --match-set china-blacklist src -j LOG_AND_DROP
In the above example we have an ipset list of some China IPs (another post coming soon regarind ipsets) and we're going to log the hit of this rule and then
DROP the packet. You ultimately do the same for logging and
ACCEPT but this is just a quick snippet/example.
However, one you enable something of this sorts, or do any kind of logging you'll notice that the log entries get dropped into
/var/log/kern.log. A little crazy right? Well, how can we consolidate or narrow down where these logs go? Well, we just need to tell our rsyslog daemon where to put these.
Create a iptables config file
Add the following lines:
:msg, contains, "[iptables] " -/var/log/iptables.log & stop
service rsyslog restart
And you should be good to go.
Note the 'tag' that we're using here '
[iptables] '. This can ultimately be any tag you want to use that makes sense to you. You just need to update the iptables rules as well as the rsyslog config file to match. You can also use this to have different tags go to different files if that is something you want to do.