I suppose so, but I have not figured out how (I have not tried).
You do it in /etc/syslog.conf
At the moment, mine says, inter alia,
# Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;news.none;authpriv.none;cron.none /var/log/messages
# Log all the mail messages in one place. mail.* /var/log/maillog
Now the man page for syslog.conf says, inter alia,
SELECTORS
The selector field itself again consists of two parts, a facility and a priority, separated by a period (''.''
. Both parts are case insensitive and can also be specified as decimal numbers, but don't do that, you have been warned. Both facilities and priorities are described in syslog(3). The names mentioned below correspond to the similar LOG_-values in /usr/include/syslog.h.
The facility is one of the following keywords: auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, security (same as auth), syslog, user, uucp and local0 through local7. The keyword security should not be used anymore and mark is only for internal use and therefore should not be used in applications. Anyway, you may want to specify and redirect these messages here. The facility specifies the subsystem that produced the message, i.e. all mail programs log with the mail facility (LOG_MAIL) if they log using syslog.
The priority is one of the following keywords, in ascending order: debug, info, notice, warning, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same as emerg). The keywords error, warn and panic are deprecated and should not be used anymore. The priority defines the severity of the message
The behavior of the original BSD syslogd is that all messages of the specified priority and higher are logged according to the given action. This syslogd(8) behaves the same, but has some extensions.
In addition to the above mentioned names the syslogd(8) understands the following extensions: An asterisk (''*''
stands for all facilities or all priorities, depending on where it is used (before or after the period). The keyword none stands for no priority of the given facility.
So it seems to me that unless iptables uses some unique one of these (and my guess is that it does not, but uses kern), it is no go unless you diddle the kernel to make it use something like local0 through local7 instead. I sure did not look at the kernel to check this. And I am assuming that the local[0-7], or at least one of them, is not used at the moment.
In my iptables setup, I have log lines that look like this:
