It's actually very simple to set up.
The default configuration is set up to be the same as (the old) syslog and these are the extra rules I added.
Code:
destination df_iptables { file("/var/log/iptables"); };
filter f_iptables { match(".*IPTABLES.*"); };
log {
source(s_all);
filter(f_iptables);
destination(df_iptables);
flags(final);
}
This last rule needs to be put BEFORE the "syslog" one as the "final" flag prevents the iptables logs going into syslog. Useful if you have a lot of them.