The first thing to do is install psad:

sudo apt-get install psad

Now edit the config file:

sudo nano /etc/psad/psad.conf

Change “ENABLE_SYSLOG_FILE Y;” to “ENABLE_SYSLOG_FILE N;”. We will not need psad to read our syslog.

Another setting to review right now depending on your environment is “EMAIL_ALERT_DANGER_LEVEL”.

Set the email at the top of the config file or leave the default, root. I have root’s mail set to forward to my real email address. To forward root (or any user’s) mail: place a file named “.forward” in their home folder. Inside the file enter the email address where the mail is to go.

Restart psad:

sudo /etc/init.d/psad restart

Next: configure iptables to log the non-legitimate packets. The logging rules need to go after the accept rules but before the drop. Confusing? It was for me.

For example, my default policy for INPUT and FORWARD is to DROP. After this my accept rules for specific ports are appended. Meaning our logging rules must go at the end of the file, before they are dropped because the packets were not accepted by any previous rules.

$IPT -A INPUT -j LOG --log-prefix "firewall1 "
$IPT -A FORWARD -j LOG --log-prefix "firewall1 "

The prefix is going to allow rsyslog to filter the messages. After applying the log rules it is possible to view the end of the syslog to see if logging is working.

sudo tail /var/log/syslog

The last step is for rsyslog to send the messages that contain “firewall1″ to psad’s pipe.

sudo nano /etc/rsyslog.d/50-default.conf

We are going to place our rules at the top of the file. That way we can stop “firewall1″ messages from making it to any other logs.

:msg, contains, "firewall1" |/var/lib/psad/psadfifo
:msg, contains, "firewall1" ~

Note: the ~ means to discard.

That’s it! Restart rsyslog:

sudo restart rsyslog

To view psad’s status:

sudo psad --Status

source