62 lines
1.6 KiB
Markdown
62 lines
1.6 KiB
Markdown
# Iptables Log parser
|
|
|
|
## How To
|
|
|
|
### Setup
|
|
|
|
|
|
1. Enable the custom logging template on `/etc/rsyslog.conf` as follows.
|
|
|
|
```
|
|
template(name="MyIptablesTimestampFormat" type="string" string="tstamp=%timegenerated:::date-rfc3339% %HOSTNAME% %syslogtag% %msg%\n")
|
|
if $msg startswith 'iptables:' then {
|
|
action(type="omfile" file="/var/log/iptables.log" template="MyIptablesTimestampFormat")
|
|
stop
|
|
}
|
|
```
|
|
2. Make sure your iptables rules are inline with the condition you use on `rsyslog.conf`. As example my iptables log file starts with `iptables:` string so my `rsyslog.conf` condition is `...startswith 'iptables:'...`.
|
|
|
|
```
|
|
iptables -A FORWARD -s 10.30.1.94/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: Vsphere "
|
|
iptables -A FORWARD -s 10.30.1.70/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: RHEL "
|
|
iptables -A FORWARD -s 10.30.1.52/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: Odoo "
|
|
iptables -A FORWARD -s 10.30.1.105/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: OPNsense "
|
|
```
|
|
|
|
|
|
### Build
|
|
|
|
```c=
|
|
mkdir lib
|
|
#Compile the library
|
|
make parse_lib.so
|
|
```
|
|
|
|
### Execute
|
|
|
|
```bash=
|
|
./wrapper.py
|
|
|
|
```
|
|
|
|
## Structure
|
|
|
|
### wrapper.py
|
|
|
|
Reads, iptables.log and calls the `lib/parser_lib.so`. Feed the parser library with lines from iptables log.
|
|
|
|
### lib/parser_lib.so
|
|
|
|
Process the sed like operation on the line by line feeded by `wrapper.py`.
|
|
|
|
Current parsed values are :
|
|
- TimeStamp
|
|
- Source IP
|
|
- Destination IP
|
|
- Packet Length
|
|
- Interface IN
|
|
- Interface OUT
|
|
- Protocol
|
|
|
|
|