Debian calls iptables logging in syslog an 'improvement'... I don't think so...

by Chris Walker on Oct.27, 2009,under Technical, How To, Networking, Operating Systems, Debian, Automation, Linux, Unix, Software

Ever had that moment when you notice something in a system is horribly flawed and no one seems to think that what you want to do is worth while? you know what I have to say to that?

Follow up:

AAAAAAHHHHHHFUCKYOU! in a sneeze like fashion... why? because I think keeping logs separated make a manageable system... instead of spending hours searching through syslog for a specific piece of information, and wading through tons of iptables logging, I can now see each as their own log... time spent - 10 minutes.

First, you need to make an rsyslog config file for your iptables. Note, this should be done as root.

cd /etc/rsyslog.d; <your editor> iptables.conf

in this iptables.conf:

:msg, contains, "[IPTABLES]Incoming Rejected: " /var/log/iptables/incoming.log :msg, contains, "[IPTABLES]Outgoing Rejected: " /var/log/iptables/outgoing.log & ~

Modify the portion in " " to your iptables --log-prefix information (this allows you to make multiple instances as I did above). Next we make a logrotate function, a 700mb log file is no fun eh?

cd /etc/logrotate.d/; <your editor> iptables

In this file:

/var/log/iptables/*.log { daily missingok rotate 6 compress delaycompress notifempty create 640 root adm sharedscripts }

save and exit, be sure you run /etc/init.d/rsyslog restart after this.

I'll break it down later... this is good enough for now, providing you have incoming and outgoing iptables --log-prefix setup differently you can maintain any number of different log files, you can even go as far as port and further to make each their own log file, this organization can be very useful. If you want to know more about rsyslog and logrotate, man rsyslog and man logrotate are where I pulled most of my information, also notedly you can use any number of the files in logrotate to see how logrotate works, unfortunately, the only way to see rsyslog configs are in the /etc/rsyslog.conf, I may post a nice one for logrotate on sub directories and keeping subdomain access files separated.

Enjoy!

201 feedbacks »

10 comments

Comment from: samuel sapp [Visitor]

· http://www.findfreetrial.com

You blog is very useful for me .I bookmarked your blog! I trust you will behave better from now on; I hope she understands that she cannot exepct a raise.

01/12/10 @ 06:41

Comment from: San Diego short sales [Visitor] · http://www.theapprovalexperts.com

Good points! I would note that as someone who really doesn't comment to blogs much (in fact, this may be my first post), I don't think the term 'lurker' is very flattering to a non-posting reader. It's not your fault at all, but perhaps the blogosphere could come up with a better, non-creepy name for the 90% of us that enjoy just reading the posts.

03/04/10 @ 21:32

Comment from: Short sale in San Diego [Visitor] · http://www.theapprovalexperts.com

Intriguing, how do I apply this?

03/04/10 @ 21:37

Comment from: unlock codes [Visitor] · http://www.youtube.com/watch?v=kemGNIsKgQI

I read your posts and i think you've got talent in writing

03/23/10 @ 10:38

Comment from: BooneHomes [Visitor] · http://boonenchomesforsale.com

How about a cheesy real estate joke? If you ever think that no cares if you are alive or dead then just try missing a few house payments.

04/01/10 @ 10:46

Comment from: Kesha - air compressors for sale [Visitor] · http://air-compressors-for-sale.com/

Very helpful! Keep on sharing those post..Thanks for this really.