iptables logging flooding /var/log/messages

ubuntu iptables log-files

I am running Ubuntu Server, pretty recent, which is set up as a NAT router.

I have an iptables script that runs during boot to set up NAT, port forwarding etc.

I am trying to diagnose an unrelated problem with the box, but /var/log/messages, /var/log/syslog and /var/log/kern.log are all flooded with messages from iptables like this:

Oct 21 11:25:27 skip kernel: [39380.812663] INPUT packet died: IN=eth1 OUT= MAC=00:40:63:d9:7c:5b:00:03:fa:a9:d7:4a:08:00 SRC=24.207.21.237 DST=94.192.123.123 LEN=111 TOS=0x00 PREC=0x00 TTL=54 ID=16494 PROTO=UDP SPT=48865 DPT=20663 LEN=91

I can't find any documentation that makes it clear how to change the way iptables logs output. What I ideally want is for NONE of the iptables stuff to go to any of the above files, but instead to /var/log/iptables.


Solution 1:

It's that script. Remove the logging.

If you really want logs (and if you're not reading them then why bother?) then use ULOGD:

http://www.netfilter.org/projects/ulogd/index.html

Solution 2:

I can't find any documentation that makes it clear how to change the way iptables logs output. What I ideally want is for NONE of the iptables stuff to go to any of the above files, but instead to /var/log/iptables.

By default iptables stuff gets sent to syslog with a facility of kern and a priority of info.

You could choose to switch to a more advanced syslog and then build a filter based on a pattern, or you could just send all the kern.info stuff to /var/log/iptables. You may get things other then iptables in your iptables log.

Assuming you haven't already replaced the syslog that is installed. You might want to make changes like want are shown by the diff below.

--- syslog.conf 2008-08-29 17:40:57.000000000 -0700
+++ syslog.conf.tmp 2009-10-21 10:06:14.000000000 -0700
@@ -8,14 +8,17 @@
 #

 auth,authpriv.*            /var/log/auth.log
-*.*;auth,authpriv.none     -/var/log/syslog
+*.*;kern.!info;\
+    auth,authpriv.none     -/var/log/syslog
 #cron.*                /var/log/cron.log
 daemon.*           -/var/log/daemon.log
-kern.*             -/var/log/kern.log
+kern.*;kern.!info      -/var/log/kern.log
 lpr.*              -/var/log/lpr.log
 mail.*             -/var/log/mail.log
 user.*             -/var/log/user.log

+kern.info          -/var/log/iptables.log
+
 #
 # Logging for the mail system.  Split it up so that
 # it is easy to write scripts to parse these files.
@@ -37,6 +40,7 @@
    auth,authpriv.none;\
    news.none;mail.none -/var/log/debug
 *.=info;*.=notice;*.=warning;\
+        kern.!info;\
    auth,authpriv.none;\
    cron,daemon.none;\
    mail,news.none      -/var/log/messages

By editing your iptables rules you can change the priority of the log entries being sent to the syslog and you can add a prefix to filter on with a more advanced syslog.

Or you can use the ULOG target like LapTop006 mentioned and then pass it off to a user space daemon like ulogd, specter, or others.

Related

Automatically run a script on an uploaded FTP file
"wget --mirror" Alternative
DEBIAN repository signing: a step-by-step guide
Linux alternative for FreeBSD systat tool
How to fix 'Repository moved permanently to'? using VisualSVN / Subversion
Multiple SSL Certificate on Apache
Patching AIX systems - patches are where? how to apply?
Which is best or good book or tutorial to understand linux file or directory structure
How can I create a Single-purpose keys (ssh) for use with scp?
Audit CPU and memory usage for cron jobs
Restore DB2 database
Are "unexportable" certificates a real security measure or just security theater?