well, just like the title.
how can i write iptables log to an appointed file?
for example, i make a new file named iptables_log.txt. and than i want to put iptables' log into this file. how can i make that?
Printable View
well, just like the title.
how can i write iptables log to an appointed file?
for example, i make a new file named iptables_log.txt. and than i want to put iptables' log into this file. how can i make that?
I don't use iptables (or Linux) and it took me 2 seconds to find several answers:
http://www.google.com/search?hl=en&q...=Google+Search
If you're talking about doing this as a "one shot" deal, you can from the command line do this:
(You will probably need to be root, since most of the time iptables togs will be inv /var which only root has access to.)
# cat current_iptables_log > new_iptables_log.txt
If you want to do it again and keep the old data also, use " >>" instead of ">". This will append the new data to the end of the file. Using ">" again would overwrite it.
but u know that iptables' log aways be put into /var/message with some other system logs.
if you want to get its log information you have to do it by yourself.
so i think maybe it is better to put its log into an appointed file
i just find some said that modify the etc/syslog.con and use iptables' LOG command to do it.
but it seems that it doesn't work.
After modifying /etc/syslog.conf you'll need to "killall -HUP syslogd"
Yep, or reboot.Quote:
Originally posted here by SirDice
After modifying /etc/syslog.conf you'll need to "killall -HUP syslogd"
A nicer thing to do if you have a few boxes is dump the iptables logs to a central server via syslog. Nifty stuff.
--Th13
Yes, redirecting system logs of critical machines to another system explicitly set up for monitoring removes the ability to remove logs if anyone actually is able to break into a machine. That's how we have it set up at my workplace. And just for the record, on unix/linux you don't have to reboot for the syslog changes to take effect. Just do something like the following:
orCode:ps -ef | grep -v grep | grep syslogd | awk '{ print $2 }' | xargs kill -HUP
Code:kill -HUP `ps -ef | grep -v grep | grep syslogd | awk '{ print $2 }'`
I believe the source command allows you to cause a configuration file to be read without a reboot.
Just do :
. (yes, that's a period) /etc/syslog.conf
from the command line.
No, this doesn't do what you think it does.... For starters syslog.conf isn't a shell script.. sourcing a file is only usefull when it's a shell script.. Especially when there are variables in it..Quote:
Originally posted here by preacherman481
I believe the source command allows you to cause a configuration file to be read without a reboot.
Just do :
. (yes, that's a period) /etc/syslog.conf
from the command line.
On fbsd i.e. rc.conf gets sourced for configuration variables by the startup (rc) scripts.
man syslogd for more info..Quote:
syslogd reads its configuration file when it starts up and whenever it receives a hangup signal.
Hehe, actually, if you source your syslog.conf file, you'll get something like the following:
Sourcing a file, as SirDice said, is only effective if you're executing a non-executable shell script, using your $SHELL variable which is set up when you log in. Unless you change it in your own .profile or /etc/profile or whatever, it's generally something like /usr/bin/sh for users and /sbin/sh for root.Code:. /etc/syslog.conf
sh: mail.debug: not found.
sh: *.info: not found.
sh: mail.none: not found.
sh: *.alert: not found.
sh: *.alert: not found.
sh: *.emerg: not found.
Thanks for the responses SirDice, and Vorlin :)
Alright, I understand now that source doesn't work with configuration files.
Ok, the reason why I said what I did what that I used . /etc/sysconfig/Susefirewall2 to read in some changes to my firewall setup without a reboot.
According to this page source can be used to read in commands from a text file. In other words, it need not be a shell script.
So if I understand this correctly, source may be used with regular text files (such as the Susefirewall2 file) but it will only allow you to read in commands from those files. It will not work with reading in to the shell a whole configuration setup.
SirDice, I may be misunderstanding you. Were you saying that source only works with shell scripts?
You can modify your /etc/syslog.conf file to point to the file that you want to use for the iptables logs.
#Log iptables stuff to iptables log
kern.3 /var/log/iptables
/root/iptables, /home/%user%/iptables are other examples.
i know a little, but i don't know how to express it
i hope u can add my ICQ --220014994
#Log iptables stuff to iptables log
kern.3 /var/log/iptables
=============================
i did it like just like stlivingston said.
but when i restart syslog, there is still nothing in file iptables. and all the log are still put into /var/log/messages
and to toplanxue: thanks ! i have added ur icq account.
check the following link i think this is what you need.
http://iptables-tutorial.frozentux.n...html#LOGTARGET
Quote:
The LOG target is specially designed for logging detailed information about packets. These could, for example, be considered as illegal. Or, logging can be used purely for bug hunting and error finding. The LOG target will return specific information on packets, such as most of the IP headers and other information considered interesting. It does this via the kernel logging facility, normally syslogd. This information may then be read directly with dmesg, or from the syslogd logs, or with other programs or applications. This is an excellent target to use to debug your rule-sets, so that you can see what packets go where and what rules are applied on what packets. Note as well that it could be a really great idea to use the LOG target instead of the DROP target while you are testing a rule you are not 100% sure about on a production firewall, since a syntax error in the rule-sets could otherwise cause severe connectivity problems for your users. Also note that the ULOG target may be interesting if you are using really extensive logging, since the ULOG target has support for direct logging to MySQL databases and suchlike.
What happens if you modify the syslog.conf file with this entry and restart the service?
kern.=debug /var/log/iptables
Let me know if you are having problems with this still.
Here is what I do to read iptables' log:
first, in the firewall script when i use logging i also use the following directive (or something similar):
LOG --log-prefix "IPTABLES_LOG_xxx " ...
then, i make a file iptables.log.sh, containing the following command:
also, you have to make it executable with:Code:cat /var/log/messages* | grep IPTABLES_LOG | sort | less -S -# 1
chmod u+x iptables.log.sh
And that's it. Now when you execute it you have your firewall's log :)