Enable iptables logging on Ubuntu Linux

The following solution can enable the iptables logging to /var/log/iptables.log:

1. Make sure you have --log-prefix set in your iptables entries. e.g.

   iptables -A INPUT -j LOG --log-prefix "[IPTABLES "

2. Create & edit /etc/rsyslog.d/15-iptables.conf file, and add the following lines:

   :msg,contains,"[IPTABLES " /var/log/iptables.log
   & ~
   

3. Create & edit /etc/logrotate.d/iptables file, and add the following lines:

   /var/log/iptables.log
   {
    rotate 4
    weekly
    missingok
    notifempty
    compress
    delaycompress
    sharedscripts
    postrotate
     reload rsyslog >/dev/null 2>&1 || true
    endscript
   }
   

4. Restart rsyslogd:

   sudo /etc/init.d/rsyslog restart

NOTE:

In the solution above, [IPTABLES is used as the --log-prefix. You can replace it with anything you like but remember to update /etc/rsyslog.d/15-iptables.conf file.

References:

• Packet logging with iptables
• How can I set up log messege in iptables firewall?
• logrotate
• Force iptables to log messages to a different log file
• iptables: add chains
• iptables: logging
• syslog: log levels
• Enable iptables logging on Ubuntu Linux
• iptables: add new chains to log drop/accept messages