80

I have this rule in my iptables:

iptables -A INPUT -s 192.168.11.0/24 -j LOG

My question is:

Where is the iptables log file, and how can I change that?

Terry Wang
  • 9,505
  • 4
  • 37
  • 30
pylover
  • 2,285
  • 5
  • 25
  • 29

4 Answers4

87

These logs are generated by the kernel, so they go to the file that receives kernel logs: /var/log/kern.log.

If you want to redirect these logs to a different file, that can't be done through iptables. It can be done in the configuration of the program that dispatches logs: rsyslog. In the iptables rule, add a prefix that isn't used by any other kernel log:

iptables -A INPUT -s 192.168.11.0/24 -j LOG --log-prefix='[netfilter] '

Following the example set by 20-ufw.conf, create a file under /etc/rsyslog.d/00-my_iptables.conf containing:

:msg,contains,"[netfilter] " -/var/log/iptables.log
& stop

Putting the rule early (the file names in /etc/rsyslog.d are used in lexicographic order) and adding &stop causes these logs to go only to the specified location and not to the default location as well.

Rsyslog has to be restarted for the config changes to take place.

Chris Stryczynski
  • 526
  • 1
  • 5
  • 14
Gilles 'SO- stop being evil'
  • 59,745
  • 16
  • 131
  • 158
  • i dont have installed ufw, so i cannot find logs in syslog,kern.log or iptables.log – pylover Sep 21 '13 at 19:47
  • 3
    @pylover UFW was just an example. I know you don't have `iptables.log`, the point of my answer is to show you how to create it. You may not have `/var/log/kern.log` if you're running a different version of Ubuntu (I think recent versions no longer use this file and put kernel logs in `/var/log/syslog` instead), but it doesn't matter. Oh, but if you're running an older version of Ubuntu, you may need to install the `rsyslog` package. – Gilles 'SO- stop being evil' Sep 21 '13 at 19:50
  • To make this work on 12.10, I had to adjust the rsyslog.d file to have the following additional char: ":msg,contains,"[netfilter] " -/var/log/iptables.log" – Daniel Feb 26 '14 at 15:10
  • 2
    one more thing, i needed to name the file like 00-my_iptables.conf, otherwise iptables still were logging into kern.log – Valentin Kantor Jan 03 '15 at 12:02
  • 2
    Maybe you could mentioned the `& stop` command as well. That way you avoid duplicates in the `kern.log` file, duplicates that could imper your ability to see other important kernel logs. – Alexis Wilke Oct 21 '16 at 20:08
  • Default log is `/var/log/messages` on RH flavors. Thanks for the tips, i needed it! – Brian Thomas Nov 06 '18 at 19:21
  • The above tips are right, this will still clutter the syslog, kern.log and messages files. Not obvious: the `& ~` part needs to go on the new line. Here's a full example that worked for me: https://superuser.com/questions/1269643/why-does-mean-discard-the-messages-that-were-matched-in-the-previous-line – ᴍᴇʜᴏᴠ Oct 03 '19 at 13:23
  • I had to remove the - at start of the file name for it to work – jjxtra May 09 '22 at 20:10
21

I know that's far too late and the answer is already marked as the accepted one. I just have a piece of new info to give.

The log file of the LOG action is found at either /var/log/syslog (Ubuntu and similar OSs) or /var/log/messages (CentOS and similar OSs).

joker
  • 413
  • 5
  • 8
13

If you are in trouble finding the right file you may try like this:

find /var/log -mmin 1

This will find any file modified in the last 1 min inside the /var/log and below. You may find out that the -j LOG may update more than just a single file.

For instance on Ubuntu 18, both the /var/log/kern.log and /var/log/syslog are impacted with netfilter logging.

prosti
  • 989
  • 9
  • 14
  • 2
    I was doing `ls /var/log/` to find the log file and it didn't show until I did `sudo ls /var/log/`. Your answer helped me, thank you. – Yacine Rouizi Aug 15 '21 at 10:34
  • You may also use the `-t` switch of the `ls` command to get the most recently modified files at the top of the `ls` list. Example: `ls -lat /var/log` – Jimmix Sep 18 '22 at 17:39
2
# on my computer !
# i wrote at the top of the script

iptables -F

iptables -X

# 
iptables -A INPUT -m state --state NEW -j LOG \ 
--log-prefix='[iptables_input] '



iptables -A OUTPUT -m state --state NEW -j LOG \
 --log-prefix='[iptables_output] '

# and found the results in /var/log/syslog
# the LOG instruction are executed only when other iptables instructions 
# are not registered before
visitor
  • 29
  • 2