How to send log messages using rsyslog to remote server using tcp and udp ports (remote logging) in Red Hat Linux
Generally all the info to error level messages are logged inside /var/log/messages but it makes hard to differentiate between long list of logs inside messages.
To separate the iptables related logs in different file follow the following procedure
NOTE: For RHEL 6 file name will be rsyslog.conf
To log all the iptables related messages
# vi /etc/syslog.conf
# Log all kernel messages to firewall.log.
kern.* /var/log/frewall.log
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
# Don't log kernel related any messages
*.info;mail.none;authpriv.none;cron.none;kern.none /var/log/messages
To log only warning level iptables messages
# Log all kernel messages to firewall.log.
kern.warn /var/log/frewall-warn.log
To log all the messages for info level to error level
kern.info;kern.!crit /var/log/firewall.log
To log the messages as per their severity level in different files
kern.* /var/log/iptables.log
kern.crit /var/log/iptables-crit.log
kern.info /var/log/iptables-info.log
For more information on severity levels of syslog follow the below link
SYSLOG Tutorial
Once done restart the syslog services
For RHEL 6
# service rsyslog restart
For RHEL 5 or older
# service syslog restart
For example
Q. Create a rule to monitor the ping logs from 192.168.1.10 to the localhost
# iptables -I INPUT -s 192.168.1.10 -p icmp -j LOG --log-prefix "PING TEST "
Now let us verify it in our log file
Try to ping from 192.168.1.10 and observe the log file
# cat /var/log/iptables.log
Mar 6 11:22:36 test1 kernel: PING TEST IN=eth3 OUT= MAC=00:0c:29:51:aa:e1:00:0c:29:a3:f5:fa:08:00 SRC=192.168.1.10 DST=192.168.1.6 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=1037 SEQ=2
Mar 6 11:23:03 test1 kernel: PING TEST IN=eth3 OUT= MAC=00:0c:29:51:aa:e1:00:0c:29:a3:f5:fa:08:00 SRC=192.168.1.10 DST=192.168.1.6 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=3341 SEQ=1
Mar 6 11:23:04 test1 kernel: PING TEST IN=eth3 OUT= MAC=00:0c:29:51:aa:e1:00:0c:29:a3:f5:fa:08:00 SRC=192.168.1.10 DST=192.168.1.6 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=3341 SEQ=2
Basic iptables tutorial I
Basic iptables tutorial II