Iptables Log parser

Features

Parse IPtables

...

Plot

Plotly ( HTML return )
Plotly Dash ( Interactive )

How To

Setup

Enable the custom logging template on /etc/rsyslog.conf as follows.

template(name="MyIptablesTimestampFormat" type="string" string="tstamp=%timegenerated:::date-rfc3339% %HOSTNAME% %syslogtag% %msg%\n")
if $msg startswith 'iptables:' then {
    action(type="omfile" file="/var/log/iptables.log" template="MyIptablesTimestampFormat")
    stop
}

Make sure your iptables rules are inline with the condition you use on rsyslog.conf. As example my iptables log file starts with iptables: string so my rsyslog.conf condition is ...startswith 'iptables:'....

iptables -A FORWARD -s 10.30.1.94/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: Vsphere "
iptables -A FORWARD -s 10.30.1.70/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: RHEL "
iptables -A FORWARD -s 10.30.1.52/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: Odoo "
iptables -A FORWARD -s 10.30.1.105/32 -d 192.168.0.0/16 -m limit --limit 1/min -j LOG --log-prefix "iptables: OPNsense "

Build

mkdir lib
#Compile the library
make parse_lib.so

Execute

 ./wrapper.py

Structure

wrapper.py

Reads, iptables.log and calls the lib/parser_lib.so. Feed the parser library with lines from iptables log.

lib/parser_lib.so

Process the sed like operation on the line by line feeded by wrapper.py.

Current parsed values are :

TimeStamp
Source IP
Destination IP
Packet Length
Interface IN
Interface OUT
Protocol

1.7 KiB Raw Permalink Blame History