使用rsyslog单独保存iptables log日志实践

前言

iptables作为经典的软件防火墙大家已经很熟悉了，不过各位应该比较少会使用到log日志记录保存的功能。这次因为Ngnix stream模块的编译和获取realip(ngx_http_realip_module / ngx_stream_realip_module)的方案改动成本过高，退而求其次的方式是通过iptables做转发，需要解决的问题就是如何保存日志和按时间rotate。原本计划使用Filebeat直接接入EFK但因为某些原因暂时搁浅了，最后选择比较简单的rsyslog在本地服务器上做处理。

使用rsyslog单独保存iptables log日志实践

更新历史

2019年05月09日 - 初稿

阅读原文 - https://wsgzao.github.io/post/iptables-log/

扩展阅读

rsyslog - https://www.rsyslog.com/guides/
How to Enable Logging in Iptables on Linux - https://tecadmin.net/enable-logging-in-iptables-on-linux/

---

RedHat官方教程

How to configure syslog to log the iptables messages to a different log file in Red Hat Enterprise Linux 5/6/7

Environment

Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
syslog

Issue

• How to modify the iptables rules to let it log at the appropriate level?
• How to configure syslog to log the iptables messages to a different log file?
• To stop iptables messages to get logged into /var/log/messages ?

Resolution

# Make a backup of /etc/syslog.conf before making any changes to it.
cp /etc/syslog.conf /etc/syslog.conf.bak

# Edit /etc/syslog.conf with an editor such as vi and add lines:
# comment iptables log
kern.warning                    /var/log/iptables

# Make sure the iptables rule is logging at the appropriate level. This can be done by using the log-level switch. Default log-level is warning.
# Below example will log ssh attempts:
iptables -I INPUT -p tcp --dport 22 -j LOG --log-level 4

# Note: Log Levels can be found using command:
man syslog

# Note: Consider adding a prefix to your iptables rule. This makes it easier to separate the firewall message from the few random messages that the kernel puts out. 
# Below example use to log ping and add the prefix "#### Firewall ####".
iptables -I INPUT -p icmp --icmp-type ping -j LOG --log-prefix "#### Firewall ####"

# Note:- Follow below steps if iptables print all the logs on the console:-
# Step1:- Add below entry in /etc/sysctl.conf
kernel.printk = 4 1 1 7
# Step2:- Run below command to make changes effectively at runtime.
/sbin/sysctl -p /etc/sysctl.conf
# Step3:- Check the changes at below file.
cat /proc/sys/kernel/printk

个人实践过程

iptables防火墙日志

# 修改防火墙NAT表中的PREROUTING和POSTROUTING链，添加自定义log-prefix
vim /etc/sysconfig/iptables

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -d <IP> --dport 443 -j LOG --log-prefix seatalk:
-A PREROUTING -p tcp -d <IP> --dport 443 -j DNAT --to-destination 10.71.19.142:443
-A POSTROUTING -j MASQUERADE
COMMIT

# 重启iptables
service iptables reload

配置rsyslog读取和保存iptables日志

rsyslog 是一个 syslogd 的多线程增强版。现在 Fedora / RHEL / CentOS / Ubuntu 默认的日志系统都是 rsyslog 了。

rsyslog 负责写入日志，logrotate 负责备份和删除旧日志，以及更新日志文件

# 创建iptables日志目录
mkdir -p /var/log/iptables/

# 编辑rsyslog.conf
vim /etc/rsyslog.conf
# Save iptables log
kern.warning /var/log/iptables/iptables.log

# 重启rsyslog
service rsyslog restart

配置log rotate

rotate 轮换，日志切换

logrotate 是一个日志管理程序，用来把旧的日志文件删除（备份），并创建新的日志文件，这个过程称为 “转储”。我们可以根据日志的大小，或者根据其使用的天数来转储。

# 添加iptables log rotate策略
vim /etc/logrotate.d/iptables

/var/log/iptables/iptables.log {
        daily
        rotate 7
        compress
        delaycompress
        missingok
        notifempty
        create 0664 root root
}

# 重启rsyslog
service rsyslog restart

# 这篇文章有更多实例
rsyslog 和 logrotate 服务 - http://xstarcd.github.io/wiki/Linux/rsyslog_logrotate.html

检查日志输出

如果条件允许建议直接采用EFK一步到位

cd /var/log/iptables
iptables.log
iptables.log-20190512.gz
iptables.log-20190513

cat iptables.log

May 14 15:08:35 <localhost> kernel: IN=em1 OUT= MAC=14:18:77:28:56:59:a0:f8:49:5f:b2:c3:08:00 SRC=<IP> DST=<IP> LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=43701 DF PROTO=TCP SPT=4150 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
May 14 15:09:00 <localhost> kernel: IN=em1 OUT= MAC=14:18:77:28:56:59:00:f8:2c:91:79:43:08:00 SRC=<IP> DST=<IP> LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=31497 DF PROTO=TCP SPT=43586 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0