1

I have many iptables rules that will log offending packets. My logs go to /var/log/iptables.log but the logs appear in 24-hour time: Mar 13 00:13:55 kernel: DROPPED Attempted ping, I would like them to appear in 12-hour AM/PM time. I already found a way to get the date and time the rule was offended in the log with --log-prefix "$(date +%B" "%d" "%r) DROPPED Port scan:. My issue is that the iptables --log-prefix is limited to 29-30 characters, I need a way to change the max length of the --log-prefix option. I've tried editing the source and re-compiling, but I get errors (only when using -j LOG) saying something is the wrong version (even though the source is the same version as the release I had before)

Improve this question

1 Answer 1

Reset to default
1

I already found a way to get the date and time the rule was offended in the log with --log-prefix "$(date +%B" "%d" "%r)

No, that just provides date and time the rule was created. If you use this, you'll just keep getting messages with the exact same timestamp forever.

iptables rules aren't evaluated by the shell for every single packet; they're processed once, uploaded to the kernel, and so the kernel would need to support any sort of expansions within the log-prefix.

(But it won't, because -j LOG messages go to the kernel log which already has numeric time­stamps, and it's the job of the log collector software to convert them into your preferred format.)

My logs go to /var/log/iptables.log but the logs appear in 24-hour time: [...] I would like them to appear in 12-hour AM/PM time

The files /var/log/*.log are normally created by a syslog service (e.g. syslog-ng, rsyslog, sysklogd). Edit their configuration in order to change the timestamp format.

For example, if your logs are collected by syslog-ng, define a template:

template t_12hour_file {
    template("[$DAY/$YEAR/$MONTH $HOUR12:$MIN:$SEC $AMPM] $MSGHDR$MSG\n");
};
destination d_iptables {
    file("/var/log/iptables.log" template(t_12hour_file));
};

See also rsyslog.

Improve this answer
10
  • The script that shows the date/time the rule was offended does work, I've tested it. I've also read that there is no way to change the format of the time in syslog
    – Ecstasy
    Commented Mar 13, 2020 at 14:28
  • All that aside, I think blocking "Attempted ping" is already a bit silly; blocking and logging ping attempts twice as much.
    – grawity_u1686
    Commented Mar 13, 2020 at 14:28
  • No, there's only no way to change the format in the syslog network protocol (which has to be fixed because the sender and receiver must agree), but it is perfectly possible to change the format in the syslog files. It does work; I've tested it.
    – grawity_u1686
    Commented Mar 13, 2020 at 14:29
  • What files need to be changed to make my iptables logs (they appear in kern.log) appear in 12 hour time?
    – Ecstasy
    Commented Mar 13, 2020 at 14:34
  • Well, what syslog daemon are you using to generate the kern.log file?
    – grawity_u1686
    Commented Mar 13, 2020 at 14:35

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .