rsyslog filtering iptables from messages

rsyslog filtering iptables from messages

Where did we come from?
Why are we here?
Where do we go when we die?

(Dream Theater – Spirit carries on)

I tend to face problem of iptables DOS-ing my log files every now and then. If I can, i tend to use ULOG target and leave iptables logs to ulogd. But, sometimes ulogd is not an option – for example on shared OpenVZ hosting. So, today I decided to harness the power of rsyslogd.

Rsyslogd is new standard daemon for logging on major linux distrubtions, that replaced old sys(k)logd. It has powerful regex and scripting engine builtin, which can be used for many cool things.

So, to solve problem of iptables logs, let’s first mark them somehow, so that we can later recognize them. This is example rules that generates logs:

-A INPUT   -j LOG --log-level info --log-prefix "iptables INPUT   DROP: "
-A FORWARD -j LOG --log-level info --log-prefix "iptables FORWARD DROP: "

Offcourse, this is written in ‘iptables-save/restore’ format.

It’s obvious we can recognize log entry by the word ‘iptables’.

Now, lets add the following to rsyslog.conf:

:msg, startswith, "iptables"				/var/log/iptables

Note that these two lines have to be before the ‘/var/log/messages’ entry to take effect.

The first line directs rsyslog to send all messages that start with “iptables” to /var/log/iptables, and the second line discards those messages. So, that magical discard is what cleans out iptables noise from all subsequent logging files in rsyslog.conf.

Save the rsyslog.conf and restart daemon, and that’s it!

