Hi there! (My first posting to this group) I have iptables set up with the "default" logging scheme, /var/log/messages. Here's an "iptables -L"-snippet: LOG all -- anywhere anywhere LOG level warning prefix `Drop: ' DROP all -- anywhere anywhere My logfiles look like this Drop: IN=eth1 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=60.191.1.173 DST=aa.bb.cc.dd ../*edited*/ PROTO=UDP SPT=1087 DPT=1434 ... Which isn't very "nice", or (imho) not very readable. I am wondering if someone in here does these loggings in an other way, and how they then do it. What ways can I make iptables log it's traffic? If anyone have suggestions, good links, tips or explanatory docs on the following "methods", I would really appreciate it: - Log to a database (whatever DB) - Log to a file - Log to a syslog-server It would be nice to not receive mails with "rtfm iptables", please. Best regards Odd Arne Beck SuSE 9.2-user
Which isn't very "nice", or (imho) not very readable.
I am wondering if someone in here does these loggings in an other way, and how they then do it.
Here's what I have done. (NOTE: All this isn't my own creation, but these are the things I have collected over time from various people. Mostly Ray. Thanks Ray!) (At the bottom of this email I have an example firewall log format.) I add this to my /etc/syslog.conf file: # Log firewall stuff kern.warn /fwlog/fwmessages then via cron I run this perl script every night: (I call it rotate logs) #!/bin/sh #This creates a date variable DATE=`/bin/date -d yesterday +"%a_%b_%d_%Y"` #this creates a file variable FILE=`echo "/fwlog/fwmessages.$DATE"` This moves the current file to a file with the date at the end mv -f /fwlog/fwmessages $FILE #create a new file touch /fwlog/fwmessages #restart syslog /etc/rc.d/init.d/syslog restart # this executes my firewallparser script that just emails me a # cleaned version of the log. It doesn't change the log, but just # shows it to me in a nice readable format. perl /etc/fw/firewallparser $FILE |mail -s "CoolDaddy Firewall $DATE" email@gmail.com #################################### Here is the firewallparser perl script: #(If anyone has any suggestions let me know!) #open(FILE, "/fwlog/fwmessages"); %attackspt = (); ## Key/Value pairs of attackspt/count %attackdpt = (); ## Key/Value pairs of attackspt/count %src = (); ## Key/Value pairs of attackspt/count %dst = (); ## Key/Value pairs of attackspt/count @temp = (); ## Hold the formatted output in array, to be printed after hash $temp = ''; $sources = ''; @sources = (); $dests = ''; @dests = (); $spt = ''; @spt = (); $dpt = ''; @dpt = (); chomp( $infile = qq( $ARGV[0]) ); open(FILE, "< $infile" ) or die qq($0: cannot open $infile $!\n); while (<FILE>) { $txt=$_; if ($txt =~ /^(\w+)\s+(\d+) (\w{1,}?:\w{1,}?:\w{1,}?) .*SRC=(\w{1,3}.\w{1,3}.\w{1,3}.\w{1,3}).*DST=(\w+.\w+.\w+.\w+) .*PROTO=(\w+) .*SPT=(\w+) .*DPT=(\w+)/) { $attackspt{$7}++; # count recurrences of attackspt $attackdpt{$8}++; # count recurrences of attackspt $src{$4}++; # count recurrences of SRC $dst{$5}++; # count recurrences of DST # print( "$1 $2 $3 $4 $5 $6 $7 $8\n"); # printf( "%6s",$1,"%6s\n", $2, "\n"); # printf("%-3s %2s %2s ___ %-4s SPT=%-5s DPT=%-5s SRC=%-15s DST=%2s\n", $1,$2,$3,$6,$7,$8,$4,$5); $temp=sprintf("%-3s %2s %2s ___ %-4s SPT=%-5s DPT=%-5s SRC=%-15s\n", $1,$2,$3,$6,$7,$8,$4); push (@temp,$temp); # push formatted output to array } } print "Packet Types:\n"; for $attacks ( sort { $attackspt{$b} <=> $attackspt{$a} } keys %attackspt ) { ## descending numeric sort by attack count if ($attackspt{$attacks} > 2){ $spt=sprintf ("SPT %4s: %5s", $attackspt{$attacks}, $attacks); ## print the hash push (@spt,$spt); } } for $attackd ( sort { $attackdpt{$b} <=> $attackdpt{$a} } keys %attackdpt ) { ## descending numeric sort by attack count $dpt=sprintf (" DPT %4s: %5s", $attackdpt{$attackd}, $attackd); ## print the hash push (@dpt,$dpt); } $sptsize = @spt; $dptsize = @dpt; if ($sptsize > $dptsize) { $maxs = $sptsize; } else { $maxs = $dptsize; } #print "SPT: DPT:\n"; $i=0; while ($i < $maxs) { print "$spt[$i] $dpt[$i]\n" ; $i++; } for $src1 ( sort { $src{$b} <=> $src{$a} } keys %src ) { ## descending numeric sort by src count if ($src{$src1} > 1){ $sources=sprintf("SRC %16s: %4s", $src1, $src{$src1}); ## print the hash push (@sources,$sources); } } for $dst1 ( sort { $dst{$b} <=> $dst{$a} } keys %dst ) { ## descending numeric sort by dst count if ($dst{$dst1} > 10){ $dests=sprintf(" DST %16s: %4s", $dst1, $dst{$dst1}); ## print the hash push (@dests,$dests); } } $sourcesize = @sources; $destsize = @dests; if ($sourcesize > $destsize) { $maxsize = $sourcesize; } else { $maxsize = $destsize; } print "Source and Destination IPs and # of Hits:\n"; $i=0; while ($i < $maxsize) { print "$sources[$i] $dests[$i]\n" ; $i++; } print "\n"; print @temp; ###################################################### #End perl script #example firewall log display... Packet Types: SPT 3: 12924 DPT 3: 6346 DPT 2: 443 Source and Destination IPs and # of Hits: SRC 203.130.255.177: 3 SRC 209.177.245.171: 2 May 2 00:39:20 ___ TCP SPT=51125 DPT=443 SRC=209.177.245.171 May 2 00:39:26 ___ TCP SPT=51125 DPT=443 SRC=209.177.245.171 May 2 09:30:09 ___ TCP SPT=12924 DPT=6346 SRC=203.130.255.177 May 2 09:30:13 ___ TCP SPT=12924 DPT=6346 SRC=203.130.255.177 May 2 09:30:17 ___ TCP SPT=12924 DPT=6346 SRC=203.130.255.177
participants (2)
-
Brad Bendily -
Odd Arne Beck