Susefirewall2 weblogger
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I found a weblogger that comes with support for susefirewall but I can't seem to get this right... Can someone help me on this? Iptables logs can be found at: http://www.gege.org/iptables/ Thanks, Bruno Cochofel -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org iD8DBQFDQPY9vug0e/DKR7kRAj0VAJ9CleqlkTkyP94xC63wMUcPWn81tACfUJvW d9THEsXpXtu8vQXe/w+mG5U= =WF/n -----END PGP SIGNATURE-----
Bruno Cochofel wrote at Monday, October 03, 2005 11:14 AM
I found a weblogger that comes with support for susefirewall but I can't seem to get this right...
Can someone help me on this?
Iptables logs can be found at: http://www.gege.org/iptables/
I had never heard of this before but immediately tried it out ;-) ... It was a littly bit hard to get it rununing, but now it works, with slightly amended scripts for feeding the log entries into the database. What you need ast first is to install session support and DBI for mysql for Perl. Furthermore the init script provided with the package does not work, first try to start the script from a console without any options and it will print all entries to the console as well as insert it into the database. Script "feed_db.pl" has to be changed as follows to get the correct entries into the correct database columns: ############################################################################ #### ################# C O N F I G S E C T I O N ############# ############################################################################ #### my $dsn = 'DBI:mysql:iptables:srv-mdh-001.mh-infoman.loc'; my $db_user_name = 'iptables_admin'; my $db_password = '********'; # Password here ^^^^^^^^ my $log_file = '/var/log/firewall'; ^^^^^^^^^^^^^^^^^^ my $pid_file = "/var/run/iptablelog.pid"; [...] while (<LOG_FILE>) { # if (!/$log_tag/) { next; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ my(@entry_split)=split / +/; my(%entry); [...] # shift(@entry_split); # [IPTABLES ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ my($chain_name)=shift(@entry_split); # DROP] # $chain_name=~s/\]//; ^^^^^^^^^^^^^^^^^^^^^^^ # shift(@entry_split); # : ^^^^^^^^^^^^^^^^^^^^^^^^^^^ foreach (@entry_split) { if (/(.*)=(.*)/) { (my($field),my($value))=split /=/; $entry{$field}=$value; } } [...] (Only relevant sections shown above, leave anything else unchanged!) Now the entries should occur in the database. I did not yet amend the init script, try to run it by "startproc -s /usr/local/bin/feed_db.pl &> /dev/null". HTH, Best regards, Markus
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks for all... Now my problem... I'm not that good with perl, so how can I install session support and DBI on Perl? I think I've got this right, there's nothing to do with mysql, right? Only the support for perl... Markus Heidinger wrote:
Bruno Cochofel wrote at Monday, October 03, 2005 11:14 AM
I found a weblogger that comes with support for susefirewall but I can't seem to get this right...
Can someone help me on this?
Iptables logs can be found at: http://www.gege.org/iptables/
I had never heard of this before but immediately tried it out ;-) ... It was a littly bit hard to get it rununing, but now it works, with slightly amended scripts for feeding the log entries into the database. What you need ast first is to install session support and DBI for mysql for Perl.
Furthermore the init script provided with the package does not work, first try to start the script from a console without any options and it will print all entries to the console as well as insert it into the database.
Script "feed_db.pl" has to be changed as follows to get the correct entries into the correct database columns:
############################################################################ #### ################# C O N F I G S E C T I O N ############# ############################################################################ ####
my $dsn = 'DBI:mysql:iptables:srv-mdh-001.mh-infoman.loc'; my $db_user_name = 'iptables_admin'; my $db_password = '********'; # Password here ^^^^^^^^ my $log_file = '/var/log/firewall'; ^^^^^^^^^^^^^^^^^^ my $pid_file = "/var/run/iptablelog.pid";
[...]
while (<LOG_FILE>) { # if (!/$log_tag/) { next; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ my(@entry_split)=split / +/; my(%entry);
[...]
# shift(@entry_split); # [IPTABLES ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ my($chain_name)=shift(@entry_split); # DROP] # $chain_name=~s/\]//; ^^^^^^^^^^^^^^^^^^^^^^^ # shift(@entry_split); # : ^^^^^^^^^^^^^^^^^^^^^^^^^^^ foreach (@entry_split) { if (/(.*)=(.*)/) { (my($field),my($value))=split /=/; $entry{$field}=$value; } }
[...]
(Only relevant sections shown above, leave anything else unchanged!)
Now the entries should occur in the database. I did not yet amend the init script, try to run it by "startproc -s /usr/local/bin/feed_db.pl &> /dev/null".
HTH, Best regards,
Markus
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org iD8DBQFDQawGvug0e/DKR7kRAo6HAJ9jr7eCUDw8B7lBs86MKsm6kyvJhACgi9zl U6TUaPq/dhA2pAOnBF4usVM= =IEDm -----END PGP SIGNATURE-----
Bruno Cochofel wrote at Tuesday, October 04, 2005 12:09 AM
Thanks for all... Now my problem... I'm not that good with perl, so how can I install session support and DBI on Perl? I think I've got this right, there's nothing to do with mysql, right? Only the support for perl...
IIRC you need the packages "perl-DBI" and "php4-mysql", the latter obviously has to do with PHP, not Perl ;-) ... Install all packages required the two packages mentioned. For Apache, you will need "apache(2)-mod_php4", and maybe, but I am really not sure at the moment, "apache(2)-mod_perl". As you can see, I installed php4 since the web log analyzer is rather old (of 2002). Not sure it would work with php5 as well. Just as a hint: since a mysql database as well as a webserver should not run on the same machine as the firewall, i installed them on a different machine, just the feeder script is running at the firewall machine. This works fine as well. HTH Regards, Markus
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've made the changes that you explain but nothing happens on the console and there's some activity on the log file... If I don't have the session support or DBI and mysql in the Perl config will it give me any error? 'Cos the script runs without complains... Markus Heidinger wrote:
Bruno Cochofel wrote at Monday, October 03, 2005 11:14 AM
I found a weblogger that comes with support for susefirewall but I can't seem to get this right...
Can someone help me on this?
Iptables logs can be found at: http://www.gege.org/iptables/
I had never heard of this before but immediately tried it out ;-) ... It was a littly bit hard to get it rununing, but now it works, with slightly amended scripts for feeding the log entries into the database. What you need ast first is to install session support and DBI for mysql for Perl.
Furthermore the init script provided with the package does not work, first try to start the script from a console without any options and it will print all entries to the console as well as insert it into the database.
Script "feed_db.pl" has to be changed as follows to get the correct entries into the correct database columns:
############################################################################ #### ################# C O N F I G S E C T I O N ############# ############################################################################ ####
my $dsn = 'DBI:mysql:iptables:srv-mdh-001.mh-infoman.loc'; my $db_user_name = 'iptables_admin'; my $db_password = '********'; # Password here ^^^^^^^^ my $log_file = '/var/log/firewall'; ^^^^^^^^^^^^^^^^^^ my $pid_file = "/var/run/iptablelog.pid";
[...]
while (<LOG_FILE>) { # if (!/$log_tag/) { next; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ my(@entry_split)=split / +/; my(%entry);
[...]
# shift(@entry_split); # [IPTABLES ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ my($chain_name)=shift(@entry_split); # DROP] # $chain_name=~s/\]//; ^^^^^^^^^^^^^^^^^^^^^^^ # shift(@entry_split); # : ^^^^^^^^^^^^^^^^^^^^^^^^^^^ foreach (@entry_split) { if (/(.*)=(.*)/) { (my($field),my($value))=split /=/; $entry{$field}=$value; } }
[...]
(Only relevant sections shown above, leave anything else unchanged!)
Now the entries should occur in the database. I did not yet amend the init script, try to run it by "startproc -s /usr/local/bin/feed_db.pl &> /dev/null".
HTH, Best regards,
Markus
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org iD8DBQFDQbK/vug0e/DKR7kRAg+PAJwP6fAE4TLQrrLPPotjc+k6TMpRzACfWF8Q sKqEYaQ53aVQIXBmEc2F2Ts= =q9cP -----END PGP SIGNATURE-----
Bruno Cochofel wrote at Tuesday, October 04, 2005 12:38 AM
I've made the changes that you explain but nothing happens on the console and there's some activity on the log file... If I don't have the session support or DBI and mysql in the Perl config will it give me any error? 'Cos the script runs without complains...
Did you do all the preparation work explained at the website of the logger? Did you run the feeder scripts feed_db.pl without any options in the foreground from the console? First check if the feeder script has been changed correctly according to my explanations an try to manually connect to the database with the db user/pwd you use in the script as well. Are there any record in the iptables database? Did you already intall all the modules I explained? Markus
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think the problem was running the script as root (because permissions on /var/log/firewall) anyway now I've entries in the DB but nothing appears in the webpage, only the number of entries... Markus Heidinger wrote:
Bruno Cochofel wrote at Tuesday, October 04, 2005 12:38 AM
I've made the changes that you explain but nothing happens on the console and there's some activity on the log file... If I don't have the session support or DBI and mysql in the Perl config will it give me any error? 'Cos the script runs without complains...
Did you do all the preparation work explained at the website of the logger? Did you run the feeder scripts feed_db.pl without any options in the foreground from the console? First check if the feeder script has been changed correctly according to my explanations an try to manually connect to the database with the db user/pwd you use in the script as well. Are there any record in the iptables database? Did you already intall all the modules I explained?
Markus
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org iD8DBQFDQjF5vug0e/DKR7kRAhSiAJ0dqXUhyhTEdqdh/sObicnbDU8UrgCePJig OCEe2G4pyGFPrb5/+zfJsZ4= =2ccZ -----END PGP SIGNATURE-----
Bruno Cochofel wrote at Tuesday, October 04, 2005 9:39 AM
I think the problem was running the script as root (because permissions on /var/log/firewall) anyway now I've entries in the DB but nothing appears in the webpage, only the number of entries...
Better than nothing ... You should now really run the script in the foreground and look at the entries then printed to the console. I think the fields are not yet filled correctly, maybe the amendments in the feeder script are not OK for your version of SuSEfirewall. They work perfect for SuSEfirewall2 under SL9.3. What do the entries in the database look like? Maybe it would be helpful to view them with phpMyAdmin ... Markus
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Man, you're really helping thanks for all... Ok I did went to phpMyAdmin and all the entries have 00 in the date field (?) I'm using also SuSE 9.3 and running the script from the console (only using ./feed-db.pl) I get outputs to the screen... Markus Heidinger wrote:
Bruno Cochofel wrote at Tuesday, October 04, 2005 9:39 AM
I think the problem was running the script as root (because permissions on /var/log/firewall) anyway now I've entries in the DB but nothing appears in the webpage, only the number of entries...
Better than nothing ... You should now really run the script in the foreground and look at the entries then printed to the console. I think the fields are not yet filled correctly, maybe the amendments in the feeder script are not OK for your version of SuSEfirewall. They work perfect for SuSEfirewall2 under SL9.3. What do the entries in the database look like? Maybe it would be helpful to view them with phpMyAdmin ...
Markus
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org iD8DBQFDQswcvug0e/DKR7kRAph8AKCRjGr6O/7mvO6gIweXscNkxT1QYQCeIeBr 66CIceGhrE0pJI636NTFyQI= =cwmD -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok, I seem to found the problem, not know how to solve it... All entries in mySQL have date = 00-00-00 00:00:00, on the output of the script it appears '2005--4 20:30:00' I think the problem is with the month, on the /var/log/firewall appears Oct 4... I'm from Portugal and my local vars are set to PT so probably my date is diferent then yours... Does this help? I really don't know how to solve this... Markus Heidinger wrote:
Bruno Cochofel wrote at Tuesday, October 04, 2005 9:39 AM
I think the problem was running the script as root (because permissions on /var/log/firewall) anyway now I've entries in the DB but nothing appears in the webpage, only the number of entries...
Better than nothing ... You should now really run the script in the foreground and look at the entries then printed to the console. I think the fields are not yet filled correctly, maybe the amendments in the feeder script are not OK for your version of SuSEfirewall. They work perfect for SuSEfirewall2 under SL9.3. What do the entries in the database look like? Maybe it would be helpful to view them with phpMyAdmin ...
Markus
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org iD8DBQFDQtQRvug0e/DKR7kRAn97AJ0RdQzNQcUnFbO4K6inamG15DzFyACfUUXy pDBvAQmcP8bQ9viFzgjUB9k= =Gesx -----END PGP SIGNATURE-----
Bruno Cochofel wrote at Tuesday, October 04, 2005 9:12 PM
Ok, I seem to found the problem, not know how to solve it...
All entries in mySQL have date = 00-00-00 00:00:00, on the output of the script it appears '2005--4 20:30:00' I think the problem is with the month, on the /var/log/firewall appears Oct 4... I'm from Portugal and my local vars are set to PT so probably my date is diferent then yours... Does this help? I really don't know how to solve this...
OK, that should definitely be the reason for the invalid date in the database and the weblogger not showing anything. Anyway this is strange since the entries in my /var/log/firewall look date-wise completely the same so I think there's something wrong with the amendments you did in the feeder script. I will send you my feeder script vie PM, as well the console output of the scripts and a short part of my /var/log/firewall so that you can cross-check. You can try to use my script with amended database user/pwd, maybe it will work then. PM will follow in a few minutes. Finally, two small requests: 1) pls do not CC any message to my personal e-mail, I am reading the list on a highly regular basis. 2) pls read http://www.netmeister.org/news/learn2quote.html carefully, it's hard to follow the message thread cause you do not quote correctly. HTH Best Regards Markus
Still no good... Maybe the function to translate months name doesn't work for my local definitions (!!) I've amanaged to change the script using localtime to process the month value and now all works, except for I don't know what's going to happen when month changes while the script is running... Sorry for the replies Markus, I only click on the reply on netscape mail but now I've changed the definitions, is this ok? Sorry for the personal mails, I'll be more carefull. Thanks for all Markus Heidinger wrote:
Bruno Cochofel wrote at Tuesday, October 04, 2005 9:12 PM
Ok, I seem to found the problem, not know how to solve it...
All entries in mySQL have date = 00-00-00 00:00:00, on the output of the script it appears '2005--4 20:30:00' I think the problem is with the month, on the /var/log/firewall appears Oct 4... I'm from Portugal and my local vars are set to PT so probably my date is diferent then yours... Does this help? I really don't know how to solve this...
OK, that should definitely be the reason for the invalid date in the database and the weblogger not showing anything. Anyway this is strange since the entries in my /var/log/firewall look date-wise completely the same so I think there's something wrong with the amendments you did in the feeder script. I will send you my feeder script vie PM, as well the console output of the scripts and a short part of my /var/log/firewall so that you can cross-check. You can try to use my script with amended database user/pwd, maybe it will work then.
PM will follow in a few minutes.
Finally, two small requests: 1) pls do not CC any message to my personal e-mail, I am reading the list on a highly regular basis. 2) pls read http://www.netmeister.org/news/learn2quote.html carefully, it's hard to follow the message thread cause you do not quote correctly.
HTH Best Regards
Markus
Bruno Cochofel wrote at Wednesday, October 05, 2005 2:24 AM
Still no good... Maybe the function to translate months name doesn't work for my local definitions (!!) I've amanaged to change the script using localtime to process the month value and now all works, except for I don't know what's going to happen when month changes while the script is running...
Must have to do with the conversion function for month short names from locale at the beginning of the script, I am not good enough at Perl to be able to change anything there ... I think it will continue working since the function fills an array with all 12 month names. I hope you did not hard-code a month into the script. I think you should look at the entries at Nov 1st and you will know what happens ;-)
Sorry for the replies Markus, I only click on the reply on netscape mail but now I've changed the definitions, is this ok? Sorry for the personal mails, I'll be more carefull.
Quoting is still anything else than correct and it is a littly bit annoying ... Maybe you find the time to learn how to quote an original message correctly in your replies. Thanks for not sending personal answer mails any longer. Regards, Markus
Bruno Cochofel wrote at Tuesday, October 04, 2005 12:38 AM
I've made the changes that you explain but nothing happens on the console and there's some activity on the log file... If I don't have the session support or DBI and mysql in the Perl config will it give me any error? 'Cos the script runs without complains...
You will need DBI support anymay. Markus
participants (2)
-
Bruno Cochofel -
Markus Heidinger