diff --git a/README.md b/README.md
index bfb750c..3f5fd3f 100755
--- a/README.md
+++ b/README.md
@@ -148,6 +148,12 @@ user.*				-/var/log/user.log
 ```
 The log will be output to the file /var/log/harbian-audit.log.
 
+If you apply docs/configurations/etc.iptables.rules.v4.sh to your firewall rules, and want to print the iptables log to a separate log file, insert the following lines to rsyslog.conf:  
+```
+:msg,contains,"FW-"                     -/var/log/firewalllog.log
+&                                       stop
+```
+
 ## After remediation (Very important)
 When exec --apply and set-hardening-level are set to 5 (the highest level), you need to do the following:
 
diff --git a/bin/hardening/8.1.1.9_set_space_left_audit.sh b/bin/hardening/8.1.1.9_set_space_left_audit.sh
index 78bd3e5..c87757e 100755
--- a/bin/hardening/8.1.1.9_set_space_left_audit.sh
+++ b/bin/hardening/8.1.1.9_set_space_left_audit.sh
@@ -6,6 +6,7 @@
 
 #
 # 8.1.1.9 Set space left for auditd service (Scored)
+# If the value of the "space_left" keyword is set to more than 25 percent of the total partition size, this is a finding.
 # Author : Samson wen, Samson <sccxboy@gmail.com>
 #
 
@@ -34,7 +35,7 @@ audit () {
                     FNRET=3
                 else                
                     SETSIZE=$(grep "^space_left.=.*"  $FILE | awk '{printf $3}')
-                    if [ "${SETSIZE}" -lt "${LEFTSIZE}" ]; then
+                    if [ "${SETSIZE}" -gt "${LEFTSIZE}" ]; then
                         crit "Space left value: ${SETSIZE} is more than audit log filesystem 25%"
                         FNRET=4
                     else
diff --git a/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh b/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh
index e8c50a6..5200794 100755
--- a/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh
+++ b/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh
@@ -84,7 +84,11 @@ check_config() {
 -a always,exit -F dir=/etc/sysconfig/ip6tables -F perm=wa -k config_file_change
 -a always,exit -F dir=/etc/sysconfig/ip6tables-config -F perm=wa -k config_file_change
 -a always,exit -F dir=/etc/sysconfig/iptables-config -F perm=wa -k config_file_change
--a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change'
+-a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change
+-a always,exit -F path=/etc/rsyslog.conf -F perm=wa -k config_file_change
+-a always,exit -F path=/etc/audisp/plugins.d/au-remote.conf -F perm=wa -k config_file_change
+-a always,exit -F path=/etc/logrotate.conf -F perm=wa -k config_file_change
+-a always,exit -F dir=/etc/logrotate.d/ -F perm=wa -k config_file_change'
 	# Debian
 	else
 		AUDIT_PARAMS='-a always,exit -F path=/etc/audisp/audisp-remote.conf -F perm=wa -k config_file_change
@@ -99,7 +103,11 @@ check_config() {
 -a always,exit -F dir=/etc/profile.d/ -F perm=wa -k config_file_change
 -a always,exit -F dir=/etc/security/ -F perm=wa -k config_file_change
 -a always,exit -F dir=/etc/iptables/ -F perm=wa -k config_file_change
--a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change'
+-a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change
+-a always,exit -F path=/etc/rsyslog.conf -F perm=wa -k config_file_change
+-a always,exit -F path=/etc/audisp/plugins.d/au-remote.conf -F perm=wa -k config_file_change
+-a always,exit -F path=/etc/logrotate.conf -F perm=wa -k config_file_change
+-a always,exit -F dir=/etc/logrotate.d/ -F perm=wa -k config_file_change'
 	fi
 }
 
diff --git a/docs/configurations/etc.iptables.rules.v4.sh b/docs/configurations/etc.iptables.rules.v4.sh
index 599f23d..d843904 100644
--- a/docs/configurations/etc.iptables.rules.v4.sh
+++ b/docs/configurations/etc.iptables.rules.v4.sh
@@ -43,18 +43,18 @@ $IPT -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
 $IPT -A INPUT -p icmp -m state --state RELATED -j ACCEPT
 
 
-$IPT -A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
+$IPT -A INPUT -m limit --limit 3/min -j LOG --log-prefix "FW-SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
 $IPT -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
-$IPT -A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
+$IPT -A FORWARD -m limit --limit 3/min -j LOG --log-prefix "FW-SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
 
 for PUB_IF in $PUB_IFS
 do 
 # sync
-    $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Syn"     
+    $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "FW-Drop-Syn "     
     $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP
            
 # Fragments
-    $IPT -A INPUT -i ${PUB_IF} -f  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
+    $IPT -A INPUT -i ${PUB_IF} -f  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "FW-Fragments Packets "
     $IPT -A INPUT -i ${PUB_IF} -f -j DROP
             
              
@@ -62,15 +62,15 @@ do
     $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
     $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP
               
-    $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
+    $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "FW-NULL Packets "
     $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
                
     $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
                 
-    $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
+    $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "FW-XMAS Packets "
     $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
                  
-    $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
+    $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "FW-Fin Packets Scan "
     $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
                   
     $IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
@@ -91,19 +91,23 @@ do
     $IPT -A INPUT -p udp --dport 68 -m state --state NEW -j ACCEPT
 #    $IPT -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
 #    $IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
+
+    # allow rsyslog and audit remote server
+    #$IPT -A INPUT -p tcp --dport 514 -m state --state NEW -j ACCEPT
+    #$IPT -A INPUT -p udp --dport 60 -m state --state NEW -j ACCEPT
  
     # allow incoming ICMP ping pong stuff
     $IPT -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
     $IPT -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
      
     # prevent ssh brute force attack
-    $IPT -A LOGDROP -j LOG
+    $IPT -A LOGDROP -j LOG --log-prefix "FW-LOGDROP "
     $IPT -A LOGDROP -j DROP
 
 # Log everything else
 # *** Required for psad ****
-$IPT -A INPUT -j LOG
-$IPT -A FORWARD -j LOG
+$IPT -A INPUT -j LOG --log-prefix "FW-INPUT "
+$IPT -A FORWARD -j LOG --log-prefix "FW-FORWARD "
 $IPT -A INPUT -j DROP
  
 exit 0