how to log iptables events

warning level:

iptables -A INPUT -j LOG --log-prefix "BAD_INPUT: " --log-level 4
iptables -A FORWARD -j LOG --log-prefix "BAD_FORWARD: " --log-level 4
iptables -A OUTPUT -j LOG --log-prefix "BAD_OUTPUT: " --log-level 4

commonly used examples

ip6tables -t raw -I PREROUTING -j LOG --log-prefix "prerouting-raw: " --log-level 4
ip6tables -t nat -I PREROUTING -j LOG --log-prefix "prerouting-nat: " --log-level 4

ip6tables -t mangle -I INPUT -j LOG --log-prefix "input-mangle: " --log-level 4
ip6tables -t filter -I INPUT -j LOG --log-prefix "input-filter: " --log-level 4

ip6tables -t mangle -I FORWARD -j LOG --log-prefix "forward-mangle: " --log-level 4

ip6tables -t filter -I OUTPUT -j LOG --log-prefix "output-filter: " --log-level 4

ip6tables -t nat -I POSTROUTING -j LOG --log-prefix "postrouting-nat: " --log-level 4
ip6tables -t mangle -I POSTROUTING -j LOG --log-prefix "postrouting-mangle: " --log-level 4
ip6tables -t mangle -A POSTROUTING -j LOG --log-prefix "postrouting-mangle-end: " --log-level 4

CentOS 7 uses systemd's journald as the default logs system, and with this the kernel logs (like the ones from iptables) are not directed to /var/log/messages but to journald and should be displayed by passing the -k (meaning kernel logs) to journalctl like this:

journalctl -k

日志如果太多， 可以清空再跑 (不太靠谱，经常搞死journal)

rm /run/log/journal/* -rf;systemctl restart systemd-journald

还是用这个参数：

-S --since=DATE          Show entries not older than the specified date

Ref:

https://unix.stackexchange.com/questions/423778/log-iptables-events-on-centos-7