0

I have several log agents with iptables logging rules and default rsyslog config. Rsyslog sends the logs to the central server.

Iptables rule:

iptables -A INPUT -j LOG --log-prefix "INPUT:DROP:" --log-level 6

Now log message looks like this:

Aug  6 14:38:08 localhost kernel: INPUT:DROP:IN=eth0 OUT= MAC=52:54:00:26:10:60: SRC=10.0.2.2 DST=10.0.2.15 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=22131 PROTO=TCP SPT=53998 DPT=22 WINDOW=65535 RES=0x00 ACK PSH URGP=0

How can I append log agent ip address and log agent mac addres to every log message? On agents comes traffic where dst != log agent ip.

Improve this question

1 Answer 1

Reset to default
0

The information that shall be added to the log message is known at the time when the iptables rule is installed? Then why not add it to the --log-prefix option? For example:

ip_=192.0.2.1
mac_=`cat /sys/class/net/eth0/address`
iptables -A INPUT -j LOG --log-prefix "${ip_?}:${mac_?}:INPUT:DROP:" --log-level 6
Improve this answer
2
  • Thanks for the answer. I did so with IP but --log-prefix maximum length is 29 characters so mac will not fit.
    – mg3
    Commented Aug 7, 2019 at 13:15
  • Didn't know that. You could do sed "s/://g" on the mac address to make it shorter.
    – Lasse Kliemann
    Commented Aug 7, 2019 at 14:15

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .