我只想将 iptables 消息记录到 /var/log/iptables.log.
这是我的方法。
sudo vim /etc/rsyslog.conf
kern.* -/var/log/iptables.log
sudo vim /etc/rsyslog.d/iptables.conf
:msg, startswith, "NETFILTER" -/var/log/iptables.log
& ~
sudo iptables -A OUTPUT -m limit --limit 10/m -j LOG --log-prefix NETFILTER
sudo iptables-save > /etc/iptables/rules.v4
sudo systemctl restart rsyslog
并清除 /var/log/iptables.log 中的所有日志消息。
sudo echo "" |sudo tee /var/log/iptables.log
现在重新启动电脑。
sudo cat /var/log/iptables.log
Nov 19 09:21:29 MiWiFi kernel: [ 7.069752] input: Eee PC WMI hotkeys as /devices/platform/eeepc-wmi/input/input15
Nov 19 09:21:29 MiWiFi kernel: [ 7.069918] asus_wmi: Number of fans: 1
Nov 19 09:21:29 MiWiFi kernel: [ 7.264095] Adding 1952764k swap on /dev/sda5. Priority:-1 extents:1 across:1952764k FS
Nov 19 09:21:29 MiWiFi kernel: [ 11.464093] ip6_tables: (C) 2000-2006 Netfilter Core Team
Nov 19 09:21:31 MiWiFi kernel: [ 13.153842] Netfilter messages via NETLINK v0.30.
Nov 19 09:21:31 MiWiFi kernel: [ 13.529229] r8169 0000:03:00.0: firmware: failed to load rtl_nic/rtl8168g-2.fw (-2)
Nov 19 09:21:31 MiWiFi kernel: [ 13.529300] r8169 0000:03:00.0: Direct firmware load for rtl_nic/rtl8168g-2.fw failed with error -2
Nov 19 09:21:31 MiWiFi kernel: [ 13.529307] r8169 0000:03:00.0 enp3s0: unable to load firmware patch rtl_nic/rtl8168g-2.fw (-2)
Nov 19 09:21:31 MiWiFi kernel: [ 13.542639] r8169 0000:03:00.0 enp3s0: link down
Nov 19 09:21:31 MiWiFi kernel: [ 13.542657] r8169 0000:03:00.0 enp3s0: link down
Nov 19 09:21:31 MiWiFi kernel: [ 13.542749] IPv6: ADDRCONF(NETDEV_UP): enp3s0: link is not ready
Nov 19 09:21:33 MiWiFi kernel: [ 15.517613] NET: Registered protocol family 4
Nov 19 09:21:33 MiWiFi kernel: [ 15.543358] NET: Registered protocol family 3
Nov 19 09:21:33 MiWiFi kernel: [ 15.573343] NET: Registered protocol family 5
Nov 19 09:21:34 MiWiFi kernel: [ 16.105505] r8169 0000:03:00.0 enp3s0: link up
Nov 19 09:21:34 MiWiFi kernel: [ 16.105513] IPv6: ADDRCONF(NETDEV_CHANGE): enp3s0: link becomes ready
Nov 19 09:21:36 MiWiFi kernel: [ 18.128165] NETFILTERIN= OUT=enp3s0 SRC=192.168.31.52 DST=224.0.0.22 LEN=40 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2 MARK=0xd4
Nov 19 09:21:36 MiWiFi kernel: [ 18.173678] NETFILTERIN= OUT=enp3s0 SRC=192.168.31.52 DST=224.0.0.251 LEN=236 TOS=0x00 PREC=0x00 TTL=255 ID=65025 DF PROTO=UDP SPT=5353 DPT=5353 LEN=216
Nov 19 09:21:36 MiWiFi kernel: [ 18.424244] NETFILTERIN= OUT=enp3s0 SRC=192.168.31.52 DST=224.0.0.251 LEN=236 TOS=0x00 PREC=0x00 TTL=255 ID=65028 DF PROTO=UDP SPT=5353 DPT=5353 LEN=216
Nov 19 09:21:36 MiWiFi kernel: [ 18.674976] NETFILTERIN= OUT=enp3s0 SRC=192.168.31.52 DST=224.0.0.251 LEN=236 TOS=0x00 PREC=0x00 TTL=255 ID=65082 DF PROTO=UDP SPT=5353 DPT=5353 LEN=216
Nov 19 09:21:36 MiWiFi kernel: [ 18.812203] NETFILTERIN= OUT=enp3s0 SRC=192.168.31.52 DST=224.0.0.22 LEN=40 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2 MARK=0xd4
Nov 19 09:21:42 MiWiFi kernel: [ 24.142666] fuse init (API version 7.26)
Nov 19 09:21:56 MiWiFi kernel: [ 38.904380] NETFILTERIN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2471 DF PROTO=TCP SPT=59188 DPT=4101 WINDOW=43690 RES=0x00 SYN URGP=0
第 1 部分是我的电脑的内核启动信息,如下所示。
Nov 19 09:21:29 MiWiFi kernel: [ 7.069752] input: Eee PC WMI hotkeys as /devices/platform/eeepc-wmi/input/input15
Nov 19 09:21:29 MiWiFi kernel: [ 7.069918] asus_wmi: Number of fans: 1
Nov 19 09:21:29 MiWiFi kernel: [ 7.264095] Adding 1952764k swap on /dev/sda5. Priority:-1 extents:1 across:1952764k FS
Nov 19 09:21:29 MiWiFi kernel: [ 11.464093] ip6_tables: (C) 2000-2006 Netfilter Core Team
Nov 19 09:21:31 MiWiFi kernel: [ 13.153842] Netfilter messages via NETLINK v0.30.
第 2 部分是有关我的电脑的 iptables 消息的信息,如下所示。
Nov 19 09:21:36 MiWiFi kernel: [ 18.812203] NETFILTERIN= OUT=enp3s0 SRC=192.168.31.52 DST=224.0.0.22 LEN=40 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2 MARK=0xd4
Nov 19 09:21:56 MiWiFi kernel: [ 38.904380] NETFILTERIN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=2471 DF PROTO=TCP SPT=59188 DPT=4101 WINDOW=43690 RES=0x00 SYN URGP=0
如何仅将 iptables 消息(第 2 部分而不是第 1 部分)记录到我的 /var/log/iptables.log 中,而不包含 /var/log/iptables.log 中的内核信息和 iptables 信息?
答案1
在 rsyslog.conf 示例中,您将
kern.*AND发送:msg, startswith, "NETFILTER"到 iptables.log,其中kern.*已包含 iptables 消息。
在您的示例中,将 rsyslog.conf 中的 kern.* 目标更正为默认 kern.log 文件:
kern.* -/var/log/kern.log
将其放置在 /etc/rsyslog.d/iptables.conf 中并重新加载/重新启动 rsyslog:
:msg, regex, "NETFILTER" -/var/log/iptables.log
& ~
请注意“正则表达式”而不是“startswith”。如果有效,请优化正则表达式字符串。
请接受您给出的任何答案以结束问题。