How to send firewall events(reject/drop) to rsyslog
Posted: 2017/04/19 15:40:16
without rewriting all the rules to add the log option to them?
The Community ENTerprise Operating System
https://forums.centos.org/
Code: Select all
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
Code: Select all
# Log IPTables.
:app-name, startswith, "iptables" -/var/log/iptables/iptables.log
& stop
#:msg, startswith, "IPTABLES_" -/var/log/iptables/iptables.log
#& stop
:msg, startswith, "iptables: " -/var/log/iptables/iptables.log
& stop
:msg, regex, "^\[ *[0-9]*\.[0-9]*\] iptables: " -/var/log/iptables/iptables.log
& stop
#:msg, regex, "^.*iptables.*" -/var/log/iptables/iptables.log
#& stop
# Log IP Tables messages into separate file and stop further processing.
if ($syslogfacility-text == 'kern') and \
($msg contains 'IN=' and $msg contains 'OUT=') \
then {
-/var/log/firewall
stop
}
# Log IP Tables catch all
:msg, regex, "^.*iptables" -/var/log/iptables/iptables.log
:msg, regex, "^.*iptables" -/var/log/iptables/iptables_catchall.log
& stop
Code: Select all
*filter
. . .
:LOG_ACCEPT - [0:0]
-A INPUT -p udp -m udp --dport 1194 -j LOG_ACCEPT
. . .
-A LOG_ACCEPT -j LOG --log-prefix "iptables: ACCEPT: " --log-level 6
-A LOG_ACCEPT -j ACCEPT