Timestamp enabled

2023-10-26 00:30:35 +07:00 · 2023-10-26 00:30:35 +07:00 · f57d026192
commit f57d026192
parent ae93124c38
5 changed files with 44 additions and 3115 deletions
--- a/Readme.md
+++ b/Readme.md
@ -2,6 +2,28 @@
 ## How To
 ### Setup
 1. Enable the custom logging template on `/etc/rsyslog.conf` as follows.
    ```
    template(name="MyIptablesTimestampFormat" type="string" string="tstamp=%timegenerated:::date-rfc3339% %HOSTNAME% %syslogtag% %msg%\n")
    if $msg startswith 'iptables:' then {
        action(type="omfile" file="/var/log/iptables.log" template="MyIptablesTimestampFormat")
        stop
    }
    ```
 2. Make sure your iptables rules are inline with the condition you use on `rsyslog.conf`. As example my iptables log file starts with `iptables:` string so my `rsyslog.conf` condition is `...startswith 'iptables:'...`.
    ```
    iptables -A FORWARD -s 10.30.1.94/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: Vsphere "
    iptables -A FORWARD -s 10.30.1.70/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: RHEL "
    iptables -A FORWARD -s 10.30.1.52/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: Odoo "
    iptables -A FORWARD -s 10.30.1.105/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: OPNsense "
    ```
 ### Build
 ```c=
@ -28,7 +50,7 @@ Reads, iptables.log and calls the  `lib/parser_lib.so`. Feed the parser library
 Process the sed like operation on the line by line feeded by `wrapper.py`.
 Current parsed values are :
-
+- TimeStamp
 - Source IP
 - Destination IP
 - Packet Length
--- a/example/iptables.log
+++ b/example/iptables.log
--- a/src/iptables_parser.c
+++ b/src/iptables_parser.c
@ -98,6 +98,9 @@ struct log_data *line_parse(char * line_dump){
 	    	//printf("%s-< STRUCT >-< %s >-%s\n", KGRN, data->src_ip, RESET);
            //printf("[%d]\t[ %s ]\t\t[ %s ] \n", v, str_final, newParam[1]);
 	    }
 	    if (strcmp(str_final,"tstamp") == 0){
            data->tstamp = strdup(newParam[1]);
 	    }
 	    if (strcmp(str_final,"DST") == 0){
            data->dst_ip = strdup(newParam[1]);
 	    }
--- a/src/struct.h
+++ b/src/struct.h
@ -10,6 +10,7 @@ typedef struct log_data {
    char *dst_port;
    char *src_port;
    char *proto;
    char *tstamp;
    char *len;
 }log_data;
--- a/wrapper.py
+++ b/wrapper.py
@ -2,6 +2,7 @@
 #from ctypes import *
 import ctypes
 import _ctypes
 from datetime import datetime
 import os
 class LogData(ctypes.Structure):
@ -15,6 +16,7 @@ class LogData(ctypes.Structure):
                ("dst_port", ctypes.c_char_p),
                ("src_port", ctypes.c_char_p),
                ("proto", ctypes.c_char_p),
                ("tstamp", ctypes.c_char_p),
                ("len", ctypes.c_char_p)
            ]
@ -86,18 +88,23 @@ def line_process():
    test_val = "HERRROOOO"
    for line in p_lines:
-        #print(line)
+        print(line)
        parser_arg = line.encode('utf-8')
        call_lib = clibrary.line_parse(parser_arg)
        time_hr = datetime.fromisoformat(call_lib.contents.tstamp.decode('utf-8'))
        time_hr = time_hr.strftime("%d-%m-%Y %H:%M:%S (%Z)")
        print("-"*30)
        print("TSTAMP ",time_hr)
        print("SRC ",call_lib.contents.src_ip.decode('utf-8'))
        print("DST ",call_lib.contents.dst_ip.decode('utf-8'))
        print("LEN ",call_lib.contents.len.decode('utf-8'))
        print("IFACE_IN ",call_lib.contents.iface_in.decode('utf-8'))
        print("IFACE_OUT ",call_lib.contents.iface_out.decode('utf-8'))
        #print("Source ",call_lib.contents.src_port.decode('utf-8'))
        #print("Source ",call_lib.contents.dst_port.decode('utf-8'))
        print("PROTO ",call_lib.contents.proto.decode('utf-8'))
        if (call_lib.contents.proto != b"ICMP"):
            print("SPT ",call_lib.contents.src_port.decode('utf-8'))
            print("DPT ",call_lib.contents.dst_port.decode('utf-8'))
        print()
        #_ctypes.dlclose(call_lib._handle)