使用rsyslog單獨保存iptables log日誌實踐

前言

iptables做爲經典的軟件防火牆你們已經很熟悉了，不過各位應該比較少會使用到log日誌記錄保存的功能。此次由於Ngnix stream模塊的編譯和獲取realip(ngx_http_realip_module / ngx_stream_realip_module)的方案改動成本太高，退而求其次的方式是經過iptables作轉發，須要解決的問題就是如何保存日誌和按時間rotate。本來計劃使用Filebeat直接接入EFK但由於某些緣由暫時擱淺了，最後選擇比較簡單的rsyslog在本地服務器上作處理。

使用rsyslog單獨保存iptables log日誌實踐

更新歷史

2019年05月09日 - 初稿

閱讀原文 - https://wsgzao.github.io/post...

擴展閱讀

rsyslog - https://www.rsyslog.com/guides/
How to Enable Logging in Iptables on Linux - https://tecadmin.net/enable-l...

---

RedHat官方教程

How to configure syslog to log the iptables messages to a different log file in Red Hat Enterprise Linux 5/6/7

Environment

Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
syslog

Issue

• How to modify the iptables rules to let it log at the appropriate level?
• How to configure syslog to log the iptables messages to a different log file?
• To stop iptables messages to get logged into /var/log/messages ?

Resolution

# Make a backup of /etc/syslog.conf before making any changes to it.
cp /etc/syslog.conf /etc/syslog.conf.bak

# Edit /etc/syslog.conf with an editor such as vi and add lines:
# comment iptables log
kern.warning                    /var/log/iptables

# Make sure the iptables rule is logging at the appropriate level. This can be done by using the log-level switch. Default log-level is warning.
# Below example will log ssh attempts:
iptables -I INPUT -p tcp --dport 22 -j LOG --log-level 4

# Note: Log Levels can be found using command:
man syslog

# Note: Consider adding a prefix to your iptables rule. This makes it easier to separate the firewall message from the few random messages that the kernel puts out. 
# Below example use to log ping and add the prefix "#### Firewall ####".
iptables -I INPUT -p icmp --icmp-type ping -j LOG --log-prefix "#### Firewall ####"

# Note:- Follow below steps if iptables print all the logs on the console:-
# Step1:- Add below entry in /etc/sysctl.conf
kernel.printk = 4 1 1 7
# Step2:- Run below command to make changes effectively at runtime.
/sbin/sysctl -p /etc/sysctl.conf
# Step3:- Check the changes at below file.
cat /proc/sys/kernel/printk

我的實踐過程

iptables防火牆日誌

# 修改防火牆NAT表中的PREROUTING和POSTROUTING鏈，添加自定義log-prefix
vim /etc/sysconfig/iptables

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -d <IP> --dport 443 -j LOG --log-prefix seatalk:
-A PREROUTING -p tcp -d <IP> --dport 443 -j DNAT --to-destination 10.71.19.142:443
-A POSTROUTING -j MASQUERADE
COMMIT

# 重啓iptables
service iptables reload

配置rsyslog讀取和保存iptables日誌

rsyslog 是一個 syslogd 的多線程加強版。如今 Fedora 和 Ubuntu, rhel6 默認的日誌系統都是 rsyslog 了。

rsyslog 負責寫入日誌，logrotate 負責備份和刪除舊日誌，以及更新日誌文件

# 建立iptables日誌目錄
mkdir -p /var/log/iptables/

# 編輯rsyslog.conf
vim /etc/rsyslog.conf
# Save iptables log
kern.warning /var/log/iptables/iptables.log

# 重啓rsyslog
service rsyslog restart

配置log rotate

rotate 輪換，日誌切換

logrotate 是一個日誌管理程序，用來把舊的日誌文件刪除（備份），並建立新的日誌文件，這個過程稱爲 "轉儲"。咱們能夠根據日誌的大小，或者根據其使用的天數來轉儲。

# 添加iptables log rotate策略
vim /etc/logrotate.d/iptables

/var/log/iptables/iptables.log {
        daily
        rotate 7
        compress
        delaycompress
        missingok
        notifempty
        create 0664 root root
}

# 重啓rsyslog
service rsyslog restart

# 這篇文章有更多實例
rsyslog 和 logrotate 服務 - http://xstarcd.github.io/wiki/Linux/rsyslog_logrotate.html

檢查日誌輸出

若是條件容許建議直接採用EFK一步到位

cd /var/log/iptables
iptables.log
iptables.log-20190512.gz
iptables.log-20190513

cat iptables.log

May 14 15:08:35 <localhost> kernel: IN=em1 OUT= MAC=14:18:77:28:56:59:a0:f8:49:5f:b2:c3:08:00 SRC=<IP> DST=<IP> LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=43701 DF PROTO=TCP SPT=4150 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
May 14 15:09:00 <localhost> kernel: IN=em1 OUT= MAC=14:18:77:28:56:59:00:f8:2c:91:79:43:08:00 SRC=<IP> DST=<IP> LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=31497 DF PROTO=TCP SPT=43586 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0