We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

[SOLVED] Iptables log plugin available?RSS

14 replies

Last post Mar 11, 2012 04:13 AM by Reiniero

  • [SOLVED] Iptables log plugin available?

    Jan 19, 2012 02:13 AM|Reiniero|LINK

    Hi all,

     

    Just rediscovered the joy of logparser.

    I'm trying to analyze some IPTables firewall logs, and wonder whether anybody has developed a plugin for that (or a plugin for syslog which I could build on).

     

    If not, I'll probably look at writing my own.

     

    I realize it's probably not common to use logparser to analyze Linux firewall results as there are so many reporting solutions areound, but... I just like logparser ;)

     

    Thanks

    Reinier

    plugin iptables syslog

  • Re: Iptables log plugin available?

    Jan 20, 2012 07:22 PM|HCamper|LINK

    Hi

    The joy of logparser is the not so common cases not just IIS Server logs.

     logparser can be used to  analyze Linux firewall IPTables and logs.

    [IPTABLES DROP] : IN=ppp0 OUT= MAC= SRC=172.186.2.157

     DST=193.253.186.217 LEN=36 TOS=0x00

    PREC=0x00 TTL=115 ID=4775 PROTO=ICMP

    TYPE=8 CODE=0 ID=512 SEQ=3663

     http://iptablelog.sourceforge.net/ check the information at the Source Forge project.

    Cheers: ) 

    Martin

     

    Windows and Linux work Together IT-Pros
    Community Member Award 2011
  • Re: Iptables log plugin available?

    Jan 21, 2012 04:45 AM|Reiniero|LINK

    Thanks for the quick reply, Martin. As far as I can tell, that tool requires ulogd to dump iptables logs into a mysql database. Of course, I could then use logparser with the ODBC plugin I have seen around here to try and analyse it. This would be a feasible way of doing it, but I don't want to install extraneous packages on my firewall appliance if I can avoid it. Perhaps I misunderstood the project information; if so, please let me know. To clarify what I'm looking for: I'm looking for a way to parse the iptables file output (in /var/log/messages, intertwined with other messages, or possibly in a separate file). If need be, I can periodically or when needed copy over the entire log and I want to analyse that using logparser. After researching some, I found that the dshield.org project has released various parsers (in python, perl etc) that parse that output and submit it to dshield.org. It should be possible to tweak those scripts so they dump output to a csv file. The next step would be to convert that script to an executable plugin for logparser... Any hints and suggestions warmly welcomed... Thanks, Reinier
  • Re: Iptables log plugin available?

    Jan 21, 2012 05:04 AM|HCamper|LINK

    Hi,

    I use "Linux" open suse and started searching  source forge  found that project.

     Your looking for a way to parse "/var/log/messages" then use log parser.

    This is "Linux" a file is just a file /var/log/messages/ .

    How about using cat http://www.computerhope.com/unix/ucat.htm and add line numbers ?

    Then use "Linux" to convert to "Windows" Format I like this article:

     http://www.cyberciti.biz/faq/howto-unix-linux-convert-dos-newlines-cr-lf-unix-text-format/ .

    I suggest you try the above as a test maybe as test-iptables.log.

    Not sure about extra scripts or tweaks ?

    Cheers :),

    Martin

     

     

     

     

    Windows and Linux work Together IT-Pros
    Community Member Award 2011
  • Re: Iptables log plugin available?

    Jan 21, 2012 05:39 AM|Reiniero|LINK

    Hi Martin, Thanks, sorry I wasn't clear enough. The above should not be a problem, but thanks for your time and effort in giving such a nice, documented reply. I can transfer files between my boxes using e.g. scp, and line conversion works as well.

    My problem is that the iptables output format in /var/log/syslog seems to have a different number of fields depending on what kind of thing is logged so you can't simply use e.g. cut to cut out space-delimited field 20 as field 20 may have different meanings.

    Fortunately, there are a lot of scripts that already parse the output from which I can take inspiration...

    Thanks, Reinier
  • Re: Iptables log plugin available?

    Jan 21, 2012 05:50 AM|HCamper|LINK

    Hi Reiner,

    How long have you been using "Linux" ?

    Martin

     

    Windows and Linux work Together IT-Pros
    Community Member Award 2011
  • Re: Iptables log plugin available?

    Jan 21, 2012 05:51 AM|Reiniero|LINK

    Don't know, about 10 years (dabbled some with FreeBSD as well)

  • Re: Iptables log plugin available?

    Jan 21, 2012 05:59 AM|HCamper|LINK

    Hi,

    I started on "Linux" about 2003 RH9  :D.

    Cheers :)

    Martin

     

    Windows and Linux work Together IT-Pros
    Community Member Award 2011
  • Re: Iptables log plugin available?

    Jan 23, 2012 02:55 AM|Reiniero|LINK

    I've written a small program that parses iptables output (in rsyslog format; should work on syslog, may well work on syslog-ng) for iptables firewall output and writes the retrieved data to a csv file.

    This file can be read and analysed with LogParser

    Download: https://bitbucket.org/reiniero/smalltools/downloads

    Notes: free, source code available.

    Compiled on Windows for now; should compile on Linux/FreeBSD/OSX with a recent Lazarus snapshot install (FreePascal 2.5 or higher) install

    It generates output that seems correct; further testing required to verify it does what it says on the tin.

    Next up, I might look into writing a iptables read plugin for LogParser with this tool if that's not too difficult...

    windows logparser iptables csv OSX freeware Linux FreeBSD FreePascal cross-platform Lazarus utility tool Unix

  • Re: Iptables log plugin available?

    Jan 23, 2012 03:25 AM|HCamper|LINK

    Hi,

    Thanks for writing  and sharing. Cheers :).

    Martin

     

    Windows and Linux work Together IT-Pros
    Community Member Award 2011
  • Re: Iptables log plugin available?

    Jan 23, 2012 08:56 AM|HCamper|LINK

    Hi,

    Just incase add the license this is under ?

    Martin

     

    Windows and Linux work Together IT-Pros
    Community Member Award 2011
  • Re: Iptables log plugin available?

    Jan 23, 2012 10:05 AM|Reiniero|LINK

    MIT license (see the readme in the source code and the source code files themselves); I've updated the overall project description at https://bitbucket.org/reiniero/smalltools/overview to make it clearer

    Thanks,

    Reinier

  • Re: Iptables log plugin available?

    Feb 06, 2012 01:12 AM|Reiniero|LINK

    FYI, I've just compiled a 64 bit Linux version and added it to the download page...

  • Re: Iptables log plugin available?

    Feb 06, 2012 12:12 PM|HCamper|LINK

    Hi Reiniero,

    FYI: "heads-up: Log Parser Forums " You have compiled a "Linux version 64-bit" and added to the download page....

    Cheers :).

    Martin

     

     

    Log file format conversions event log multiple lines textline input single one record log parsing shell scripting windows IIS Query Log Parser scripting log file parsing logparser format convert filename IIS7 pass parameters plugin iptables Linux cross-platform utility tool Unix

    Windows and Linux work Together IT-Pros
    Community Member Award 2011
  • Re: Iptables log plugin available?

    Mar 11, 2012 04:13 AM|Reiniero|LINK

    Just uploaded a new version that should read Ubuntu ufw logs as well and has some fixes (see readme on site). Also a standalone GUI viewer.

    firewall gui update