4

I have the following configuration in my iptables and syslog files:

IPTABLES

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 222 -j ACCEPT -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT -A INPUT -j DROP -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

SYSLOG-NG

destination d_iptables { file("/var/log/iptables/iptables.log"); }; filter f_iptables { facility(kern) and match("IN=" value("MESSAGE")) and match("OUT=" value("MESSAGE")); }; filter f_messages { level(info,notice,warn) and not facility(auth,authpriv,cron,daemon,mail,news) and not filter(f_iptables); }; log { source(s_src); filter(f_iptables); destination(d_iptables); };`

I restart syslog-ng and the log is not written.

Improve this question
4
  • What is the value of s_src and why don't you match on "iptables denied:" instead? Commented Apr 6, 2012 at 22:45
  • ok I changed my match to look like this Commented Apr 9, 2012 at 15:18
  • filter f_iptables { level(debug) and match("IN=" value("iptables denied")) and match("OUT=" value("iptables denied")); }; Commented Apr 9, 2012 at 15:18
  • source s_src { unix-dgram("/dev/log"); internal(); file("/proc/kmsg" program_override("kernel")); Commented Apr 9, 2012 at 15:19

2 Answers 2

Reset to default
2

Your syslog-ng config appears fine to me but your iptables config isn't. The -j LOG line appears after a line that DROPs everything, hence it will never be reached.

You should move the LOG line to directly before whatever event you want to log. If you want to log everything, put it first. If you want to log everything that isn't ACCEPTed, put it after all the ACCEPTs.

Improve this answer
2
  • I moved the logging up as suggested Chain INPUT (policy ACCEPT) target prot opt source destination LOG all -- anywhere anywhere limit: RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT tcp -- anywhere anywhere tcp dpt:222 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql DROP all -- static-ip-85-25-146-0.inaddr.ip-pool.com/24 anywhere DROP all -- anywhere anywhere Commented Apr 26, 2012 at 22:22
  • and mofified the filter as follows hoping to capture all logging filter f_iptables { level(debug); }; and still get no output to my iptables.log Commented Apr 26, 2012 at 22:23
3

Ok, after a lot of pain I finally got it working, here is the final config, I hope it helps someone.

iptables

 :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :LOGNDROP - [0:0] :OUTPUT ACCEPT [63:18352] -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 222 -j ACCEPT -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT -A INPUT -s 85.25.146.0/24 -j DROP -A INPUT -j DROP

syslog.confg

destination d_iptables { file("/var/log/iptables.log"); }; filter f_iptables { match("iptables denied" value("MESSAGE")); }; filter f_debug { level(debug) and not facility(auth, authpriv, news, mail) and not filter(f_iptables); }; # not facility(auth,authpriv,cron,daemon,mail,news) and not filter(f_iptables); }; filter f_kern { facility(kern) and not filter(f_iptables); }; log { source(s_src); filter(f_iptables); destination(d_iptables); };
Improve this answer
1
  • Great, if this is the correct solution to your question, please mark it as "accepted" when you are able. Commented Apr 27, 2012 at 0:06

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.