iptables with syslog-ng on Gentoo

Please note that this blog has been moved.

Now it has its own domain: mynixworld.info 🙂

If you want to read the latest version of this article (recommended) please click here and I open the page for you.

If you use syslog-ng protocol to log your Linux kernel’s messages into a /var/log/messages file and if you want to log some messages (filtered by some criteria) into a separate log file (eg. your firewall log entries), then here is what you have to do:

  • edit syslog-ng configuration file (/etc/syslog-ng/syslog-ng.conf)
    • create a new destination entry special designed for your firewall:
    • create a new filter so that you grab only those entries related to firewall
    • log those entries specified by your custom filter to your custom destination file
  • restart/reload your syslog-ng service

In the example below I’ve edited the default syslog-ng.conf file where I’ve added lines 18,28,34 and I’ve changed the default line 25:

# Syslog-ng default configuration file for Gentoo Linux

options {

source src {
unix-stream("/dev/log" max-connections(256));

destination messages { file("/var/log/messages"); };

# your custom firewall destination
destination firewall { file("/var/log/firewall.log"); };

# By default messages are logged to tty12...
destination console_all { file("/dev/tty12"); };

# make sure you don't include in /var/log/messages those entries that will go
# into firewall custom log file
filter f_kernel { not match("IN=" value(MSG)) or not match("OUT=" value(MSG)); };

# your custom firewall filter
filter f_firewall { match("IN=" value(MSG)) and match("OUT=" value(MSG)); };

log { source(src); filter(f_kernel); destination(messages); };
log { source(src); filter(f_kernel); destination(console_all); };

# your custom firewall log entry
log { source(src); filter(f_firewall); destination(firewall); };

About Eugen Mihailescu

Always looking to learn more about *nix world, about the fundamental concepts of arithmetic, algebra and geometry. I am also passionate about programming, database and systems administration.
This entry was posted in kernel, linux, security and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s