Timestamp enabled
This commit is contained in:
parent
ae93124c38
commit
f57d026192
24
Readme.md
24
Readme.md
@ -2,6 +2,28 @@
|
||||
|
||||
## How To
|
||||
|
||||
### Setup
|
||||
|
||||
|
||||
1. Enable the custom logging template on `/etc/rsyslog.conf` as follows.
|
||||
|
||||
```
|
||||
template(name="MyIptablesTimestampFormat" type="string" string="tstamp=%timegenerated:::date-rfc3339% %HOSTNAME% %syslogtag% %msg%\n")
|
||||
if $msg startswith 'iptables:' then {
|
||||
action(type="omfile" file="/var/log/iptables.log" template="MyIptablesTimestampFormat")
|
||||
stop
|
||||
}
|
||||
```
|
||||
2. Make sure your iptables rules are inline with the condition you use on `rsyslog.conf`. As example my iptables log file starts with `iptables:` string so my `rsyslog.conf` condition is `...startswith 'iptables:'...`.
|
||||
|
||||
```
|
||||
iptables -A FORWARD -s 10.30.1.94/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: Vsphere "
|
||||
iptables -A FORWARD -s 10.30.1.70/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: RHEL "
|
||||
iptables -A FORWARD -s 10.30.1.52/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: Odoo "
|
||||
iptables -A FORWARD -s 10.30.1.105/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: OPNsense "
|
||||
```
|
||||
|
||||
|
||||
### Build
|
||||
|
||||
```c=
|
||||
@ -28,7 +50,7 @@ Reads, iptables.log and calls the `lib/parser_lib.so`. Feed the parser library
|
||||
Process the sed like operation on the line by line feeded by `wrapper.py`.
|
||||
|
||||
Current parsed values are :
|
||||
|
||||
- TimeStamp
|
||||
- Source IP
|
||||
- Destination IP
|
||||
- Packet Length
|
||||
|
3104
example/iptables.log
3104
example/iptables.log
File diff suppressed because it is too large
Load Diff
@ -98,6 +98,9 @@ struct log_data *line_parse(char * line_dump){
|
||||
//printf("%s-< STRUCT >-< %s >-%s\n", KGRN, data->src_ip, RESET);
|
||||
//printf("[%d]\t[ %s ]\t\t[ %s ] \n", v, str_final, newParam[1]);
|
||||
}
|
||||
if (strcmp(str_final,"tstamp") == 0){
|
||||
data->tstamp = strdup(newParam[1]);
|
||||
}
|
||||
if (strcmp(str_final,"DST") == 0){
|
||||
data->dst_ip = strdup(newParam[1]);
|
||||
}
|
||||
|
@ -10,6 +10,7 @@ typedef struct log_data {
|
||||
char *dst_port;
|
||||
char *src_port;
|
||||
char *proto;
|
||||
char *tstamp;
|
||||
char *len;
|
||||
|
||||
}log_data;
|
||||
|
13
wrapper.py
13
wrapper.py
@ -2,6 +2,7 @@
|
||||
#from ctypes import *
|
||||
import ctypes
|
||||
import _ctypes
|
||||
from datetime import datetime
|
||||
import os
|
||||
|
||||
class LogData(ctypes.Structure):
|
||||
@ -15,6 +16,7 @@ class LogData(ctypes.Structure):
|
||||
("dst_port", ctypes.c_char_p),
|
||||
("src_port", ctypes.c_char_p),
|
||||
("proto", ctypes.c_char_p),
|
||||
("tstamp", ctypes.c_char_p),
|
||||
("len", ctypes.c_char_p)
|
||||
]
|
||||
|
||||
@ -86,18 +88,23 @@ def line_process():
|
||||
test_val = "HERRROOOO"
|
||||
|
||||
for line in p_lines:
|
||||
#print(line)
|
||||
print(line)
|
||||
parser_arg = line.encode('utf-8')
|
||||
call_lib = clibrary.line_parse(parser_arg)
|
||||
time_hr = datetime.fromisoformat(call_lib.contents.tstamp.decode('utf-8'))
|
||||
time_hr = time_hr.strftime("%d-%m-%Y %H:%M:%S (%Z)")
|
||||
print("-"*30)
|
||||
print("TSTAMP ",time_hr)
|
||||
print("SRC ",call_lib.contents.src_ip.decode('utf-8'))
|
||||
print("DST ",call_lib.contents.dst_ip.decode('utf-8'))
|
||||
print("LEN ",call_lib.contents.len.decode('utf-8'))
|
||||
|
||||
print("IFACE_IN ",call_lib.contents.iface_in.decode('utf-8'))
|
||||
print("IFACE_OUT ",call_lib.contents.iface_out.decode('utf-8'))
|
||||
#print("Source ",call_lib.contents.src_port.decode('utf-8'))
|
||||
#print("Source ",call_lib.contents.dst_port.decode('utf-8'))
|
||||
print("PROTO ",call_lib.contents.proto.decode('utf-8'))
|
||||
if (call_lib.contents.proto != b"ICMP"):
|
||||
print("SPT ",call_lib.contents.src_port.decode('utf-8'))
|
||||
print("DPT ",call_lib.contents.dst_port.decode('utf-8'))
|
||||
print()
|
||||
#_ctypes.dlclose(call_lib._handle)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user