iptables-parser/Readme.md

62 lines
1.6 KiB
Markdown
Raw Normal View History

# Iptables Log parser
2023-10-24 07:09:29 -04:00
## How To
2023-10-25 13:30:35 -04:00
### Setup
1. Enable the custom logging template on `/etc/rsyslog.conf` as follows.
```
template(name="MyIptablesTimestampFormat" type="string" string="tstamp=%timegenerated:::date-rfc3339% %HOSTNAME% %syslogtag% %msg%\n")
if $msg startswith 'iptables:' then {
action(type="omfile" file="/var/log/iptables.log" template="MyIptablesTimestampFormat")
stop
}
```
2. Make sure your iptables rules are inline with the condition you use on `rsyslog.conf`. As example my iptables log file starts with `iptables:` string so my `rsyslog.conf` condition is `...startswith 'iptables:'...`.
```
iptables -A FORWARD -s 10.30.1.94/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: Vsphere "
iptables -A FORWARD -s 10.30.1.70/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: RHEL "
iptables -A FORWARD -s 10.30.1.52/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: Odoo "
iptables -A FORWARD -s 10.30.1.105/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: OPNsense "
```
### Build
```c=
mkdir lib
#Compile the library
make parse_lib.so
```
### Execute
```bash=
./wrapper.py
```
## Structure
2023-10-24 07:09:29 -04:00
### wrapper.py
Reads, iptables.log and calls the `lib/parser_lib.so`. Feed the parser library with lines from iptables log.
2023-10-24 07:09:29 -04:00
### lib/parser_lib.so
2023-10-24 07:09:29 -04:00
Process the sed like operation on the line by line feeded by `wrapper.py`.
Current parsed values are :
2023-10-25 13:30:35 -04:00
- TimeStamp
- Source IP
- Destination IP
- Packet Length
- Interface IN
- Interface OUT
- Protocol