iptables -N LOGGINGCHAIN
iptables -A LOGGINGCHAIN -m limit --limit 20/min -j LOG --log-prefix "iptables: logging: " --log-level 7
iptables -A INPUT -s 10.0.3.19/32 -j LOGGINGCHAIN
Note: We did log-level 7 (debug) because log level 6 is info, and most /etc/rsyslog.conf's have *.info go to /var/log/messages and we don't want to spam /var/log/messages with iptables info.
So instead we add something to /etc/rsyslog.d/ for logging these packets:
cat << EOF > /etc/rsyslog.d/10-iptables.conf
That says anything that contains the string "iptables:" gets written down to /var/log/iptables.log .
Then restart syslog:
service rsyslog restart