# Iptables Log parser ## How To ### Setup 1. Enable the custom logging template on `/etc/rsyslog.conf` as follows. ``` template(name="MyIptablesTimestampFormat" type="string" string="tstamp=%timegenerated:::date-rfc3339% %HOSTNAME% %syslogtag% %msg%\n") if $msg startswith 'iptables:' then { action(type="omfile" file="/var/log/iptables.log" template="MyIptablesTimestampFormat") stop } ``` 2. Make sure your iptables rules are inline with the condition you use on `rsyslog.conf`. As example my iptables log file starts with `iptables:` string so my `rsyslog.conf` condition is `...startswith 'iptables:'...`. ``` iptables -A FORWARD -s 10.30.1.94/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: Vsphere " iptables -A FORWARD -s 10.30.1.70/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: RHEL " iptables -A FORWARD -s 10.30.1.52/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: Odoo " iptables -A FORWARD -s 10.30.1.105/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: OPNsense " ``` ### Build ```c= mkdir lib #Compile the library make parse_lib.so ``` ### Execute ```bash= ./wrapper.py ``` ## Structure ### wrapper.py Reads, iptables.log and calls the `lib/parser_lib.so`. Feed the parser library with lines from iptables log. ### lib/parser_lib.so Process the sed like operation on the line by line feeded by `wrapper.py`. Current parsed values are : - TimeStamp - Source IP - Destination IP - Packet Length - Interface IN - Interface OUT - Protocol