MonitorWare Knowledge Base

[yeleek]

Hi,

I'm trying to get rsyslog running on ubuntu 9.10 to output my iptables alerts to a specific log file.

By default Ubuntu uses a 50-default.conf to specify the configuration and I've added a iptables.conf in the /etc/rsyslog.d folder. The contents of that file are:

Code: Select all

:msg, startswith, "iptables denied: " -/var/log/iptables.log
& ~

the /var/log/iptables.log file has been created, yet all the alerts still keep going to the messages log.

What am I doing wrong? And for confirmation this is the iptables line

'-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 4 '

So the test is right...

Thank you

[JPZ]

yeleek,

ubuntu is running vers.rsyslogd 4.2.0 which doesn't seem to support what you are doing, I've been trying to do the same thing.

I tried to upgrade to the latest version but I'm not quite sure of the steps to take yet.
thus far I compiled and installed the new version, but nothing is being logged so I obviously did something wrong.

[yeleek]

Hi,

I did manage to get it working.... iptables.conf didn't work but this added to the top of /etc/rsyslog.d/50-default.conf did

:msg,contains,"IPTABLES" /var/log/iptables.log
& ~
*.info;mail.none;authpriv.none;cron.none /var/log/messages

Regards

[JPZ]

Really?

I have the same setup but even though I specify:
:fromhost-ip,isequal,"1.1.1.1" /var/log/remote_syslog/log1
:fromhost-ip,isequal,"1.1.1.2" /var/log/remote_syslog/log2
& ~

*.* -/var/log/syslog


I still get logs dumped to syslog from ip 1.1.1.1 and 1.1.1.2. I thought the purpose of & ~ was to stop those logs from going further down the list.

[yeleek]

yup

'The first line means send all messages that start with “iptables: ” to /var/log/iptables.log. The second line means discard the messages that were matched in the previous line. The second line is of course optional, but it saves the trouble of explicitly filtering out firewall logs from subsequent syslog rules'

http://blog.shadypixel.com/log-iptables ... h-rsyslog/

[JPZ]

which version of rsyslog are you running?

I have that same setup and the logs are still being sent to /var/log/syslog

[yeleek]

4.2.0-2ubuntu5.1