It should be use something like info and then put a line in syslog.conf for kern.info /var/log/iptables Ahhh, but this is the command he started with, and it logs to both files by default. I've wanted to do this for some time so I did a little hacking of syslog.conf file and here's what I've got so far: 1. Log level "info" is used by the kernel pretty regularly, so I changed my iptables log levels to "debug". Since every kernel message with a log level of debug will show up in this file, I selected a log level that my system rarely uses. Your mileage may vary. iptables . . . -j LOG --log-level debug --log-prefix "your_prefix:" 2. Add a statement in your syslog.conf file: kern.=debug -/var/log/iptables.log This will send only kernel debug level messages to your file. If you don't use the "=" then all messages at debug level or higher (everything) will go to your file. The "-" before the log file name allows the system to delay logging to this file during times of heavy kernel load. 3. Modify the syslog.conf line that points to your /var/log/messages file by adding "kern.!=debug" to exclude (only) debug messages. In my case the line now looks like this: *.*;mail.none;news.none;kern.!=debug -/var/log/messages 4. Restart syslog (this may not be necessary but it's a quick way to see if thing are going where you expected) and reload your iptables rules. My apologies for the early morning stupidity. I've found another cup of coffee often relieves this condition ;-) I'm not much of a script writer on a good day (after coffee) so I welcome any suggested corrections or improvements. Jeff |
