iptables SSH connection logging

Is it possible to only write a log-entry when a connection is established ? I have tried:

iptables -I OUTPUT -p tcp --dport 22 -j LOG --log-level notice --log-prefix "outgoing ssh connection"

to log outgoing SSH connections but this logs every single packet and this is as you can imagine a bit overwhelming for monitoring purposes. I am running SLES 11 SP3. So I would be grateful if anyone could point out a way to only write a log-entry when the conenction is established.

The Line you would need to log the traffic, might look possible as:

iptables -I OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j LOG --log-prefix "Outgoing SSH connection"

On another terminal view the logs

while :; do iptables -L OUTPUT -v -n --line-n; sleep 2; done

I am using -m state --state. However I would recommand to use --ctstate

man iptables for more.

If you feel that you are being overwhelmed by the logs, you might consider changing the --log-level. http://www.netfilter.org/ can tell you more.

val0x00ff's suggestion of using --state, also by Petter H in a comment, should work well.

However, you don't need to introduce session state tracking just for that. You can add the --syn flag to make the rule match only packets with the SYN flag set, which is set only on new connection attempts.