| example | ||
| src | ||
| .gitignore | ||
| iptables.log | ||
| Makefile | ||
| Readme.md | ||
| requirements.txt | ||
| wrapper.py | ||
Iptables Log parser
Features
Parse IPtables
...
Plot
- Plotly ( HTML return )
- Plotly Dash ( Interactive )
How To
Setup
-
Enable the custom logging template on
/etc/rsyslog.confas follows.template(name="MyIptablesTimestampFormat" type="string" string="tstamp=%timegenerated:::date-rfc3339% %HOSTNAME% %syslogtag% %msg%\n") if $msg startswith 'iptables:' then { action(type="omfile" file="/var/log/iptables.log" template="MyIptablesTimestampFormat") stop } -
Make sure your iptables rules are inline with the condition you use on
rsyslog.conf. As example my iptables log file starts withiptables:string so myrsyslog.confcondition is...startswith 'iptables:'....iptables -A FORWARD -s 10.30.1.94/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: Vsphere " iptables -A FORWARD -s 10.30.1.70/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: RHEL " iptables -A FORWARD -s 10.30.1.52/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: Odoo " iptables -A FORWARD -s 10.30.1.105/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: OPNsense "
Build
mkdir lib
#Compile the library
make parse_lib.so
Execute
./wrapper.py
Structure
wrapper.py
Reads, iptables.log and calls the lib/parser_lib.so. Feed the parser library with lines from iptables log.
lib/parser_lib.so
Process the sed like operation on the line by line feeded by wrapper.py.
Current parsed values are :
- TimeStamp
- Source IP
- Destination IP
- Packet Length
- Interface IN
- Interface OUT
- Protocol