# /etc/rsyslog.d/iptables.conf

if ( $msg contains ' iptables ')
then {
    /var/log/iptables/all.log
}
if ( $msg contains ' iptables dropped')
then {
    /var/log/iptables/drop.log
}
if ( $msg contains ' iptables rejected')
then {
    /var/log/iptables/reject.log
    stop
}
if ( $msg contains ' iptables dropped' or $msg contains ' iptables rejected')
then {
    /var/log/iptables/troubleshoot.log
    stop
}

if ( $msg contains ' iptables clutter dropped: ')
then {
    /var/log/iptables/clutter.log
    stop
}
if ( $msg contains ' iptables attack dropped: ')
then {
    /var/log/iptables/attack.log
    stop
}
if ( $msg contains ' iptables dropped spoof: ' or $msg contains 'iptables droped SSH flood: ' or $msg contains 'iptables dropped HTTP flood: ' or $msg contains 'iptables dropped HTTPS flood: ' or $msg contains 'iptables dropped 127.0.0.0/8, from non localhost: ')
then {
    /var/log/iptables/attack.log
    stop
}
if ( $msg contains ' iptables allowed DHCP: ')
then{
    /var/log/iptables/dhcp.log
    stop
}