How to configure syslog to log the iptables messages to a different log file in Red Hat Enterprise Linux 5/6 ?
Environment
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6
- syslog
Issue
- How to modify the iptables rules to let it log at the appropriate level?
- How to configure syslog to log the iptables messages to a different log file?
- To stop iptables messages to get logged into
/var/log/messages
?
Resolution
- Make a backup of
/etc/syslog.conf
before making any changes to it.
# cp /etc/syslog.conf /etc/syslog.conf.bak
- Edit
/etc/syslog.conf
with an editor such asvi
and add lines:
# comment iptables log
kern.warning /var/log/iptables
- Make sure the iptables rule is logging at the appropriate level. This can be done by using the log-level switch. Default log-level is warning.
Below example will log ssh attempts:
# iptables -I INPUT -p tcp --dport 22 -j LOG --log-level 4
Note: Log Levels can be found using command:
$ man syslog
Note: Consider adding a prefix to your iptables rule. This makes it easier to separate the firewall message from the few random messages that the kernel puts out.
- Below example use to log ping and add the prefix "#### Firewall ####".
# iptables -I INPUT -p icmp --icmp-type ping -j LOG --log-prefix "#### Firewall ####"
Note:- Follow below steps if iptables print all the logs on the console:-
Step1:- Add below entry in /etc/sysctl.conf
kernel.printk = 4 1 1 7
Step2:- Run below command to make changes effectively at runtime.
# /sbin/sysctl -p /etc/sysctl.conf
Step3:- Check the changes at below file.
# cat /proc/sys/kernel/printk
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments