I want to log iptables messages in a separate log file, and not in /var/log/syslog.
I understand if you want to log something exclusively to a separate file, you make sure the syslog rules you want are read before the defaults, and put & stop at the end to prevent that rule being read in again (and displayed in syslog). The order of config files in /etc/rsyslog.d is alphabetical.
I've named my config 10-iptables.conf so it should come before 50-default.conf. It contains:
:msg,contains,"[BLOCKED]" /var/log/iptables.log
& stop
My iptables logging rule looks like this:
-j LOG --log-prefix "[BLOCKED]" -m limit --limit 3/min --limit-burst 10
My /etc/syslogd/50-default.conf looks like this (the Ubuntu default config):
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
kern.* -/var/log/kern.log
mail.* -/var/log/mail.log
mail.err /var/log/mail.err
*.emerg :omusrmsg:*
However, I see iptables messages in both syslog and my separate file.
It seems like the & stop option isn't working, so perhaps my understanding is incorrect. Does anyone know how I can stop putting these messages into /var/log/syslog?
