0

I am trying to redirect iptables log to another file. Based upon my reading on the net, I did the following:

In my iptables rule, I have rules like:

iptables -A INPUT -s ... -j LOG --log-prefix "iptables@@" Then in the folder /etc/rsyslog.d, I created a file with the entries:

:msg,contains,"iptables@@" /var/log/iptables.log & ~ I also tried to have a blank line between the above two lines. I do get the iptables log entries now going to iptables.log file. But they ALSO go to /var/log/kern.log file. I want to suppress the later. How do I do this. I am running Ubuntu 14.04 LTS.

Improve this question
1
  • Have you restarted rsyslog? Commented May 2, 2016 at 17:40

2 Answers 2

Reset to default
1

When your /etc/rsyslog.conf loads yours *.conf in /etc/rsyslog.d, it reads your files alphabetically. So, you need to make sure that your rules are in a file that comes before 50-default.conf, like:

01-myiptablesrules.conf

This way, your rules will be read first, and discard it. You should also use this syntax:

:msg, contains, "iptables@@" { *.* /var/log/iptables.log stop }

*You should use stop instead of ~

Or if you don't have others kern.* than your iptables messages, you should modify 50-default.conf with:

kern.* /var/log/iptables.log
Improve this answer
0

Is there a line in your rsyslog config files that prints the message to /var/log/kern.log? If so, post that code. Also post your rsyslog verison number. In the meantime, this could work:

:msg,contains,"iptables@@" /var/log/iptables.log :msg,contains,"iptables@@" ~

Though I believe once you do that second line, rsyslog will disregard all messages containing iptables@@ so it can't be logged elsewhere (after that line).

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.